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I INTRODUCTION 


The  purpose  of  this  report  is  to  prove  mathematically  that 
the  specifications  of  the  primitives  of  the  protected  DMS  Cl] 
correctly  embody  the  protection  principles  designated  by  the 
mathematical  model  [2]. 

The  validation  technique  is  described,  and  the  detailed 
validation  of  a representative  sample  of  O-functions  is  included 
as  an  appendix. 
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II  VALIDATION  TECHNIQUE 


2.1  Objective 

The  objective  of  the  validation  is  to  prove  that  the  accesses 
of  objects  by  subjects  (in  the  secure  DMS) , which  are  formally 
specified  in  appendix  IV  of  reference  Cl],  do  in  fact  conform  to 
the  axioms  of  the  mathematical  model. 

These  axioms  are  taken  from  section  VI  of  reference  [2],  and 
are  expressed  using  the  notation  and  variables  of  the  specifica- 
tions. In  addition,  " " means  "security  level  dominance",  and 

s 

" V3. " means  "integrity  level  dominance".  Let  S and  I be  the 
1 v v 

security  and  integrity  levels,  respectively,  of  variable  V. 
is  the  permission  matrix  associated  with  variable  V.  CUR_SEC  and 
CUR_INT  are  the  current  security  and  integrity  levels,  respective- 
ly, of  the  subject  of  interest.  Then  the  model  axioms  are: 


(i) 
(ii) 
( iii) 
(iv) 
(v) 


Direct  Disclosure  (Simple  Security) 
Subject  observes  V =>  CUR_SEC  S 

Indirect  Disclosure 

Subject  modifies  V =>  CUR_SEC  l=Ks  S 
Direct  Modification 

Subject  modifies  V =>  CUR_INT  * 

Indirect  "Contamination" 

Subject  observes  V =>  CUR_INT  I 

Tranquility  Principle 

A)  CUR_SEC  and  CUR_INT  are  constant 
for  any  subject;  and 


v 


v 


v 


v 
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B) 
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S and  I are  constant  for  any 
v v 

variable  V. 

(vi)  Discretionary  Access  Control 

Subject  accesses  V =>  (Sub ject , access ) e M^. 

Essentially,  the  validation  consists  of  proofs  based  on  the 
inspection  of  specification  statements,  invariants,  and  case 
table  results.  Arguments  of  reasonableness  are  used  in  the 
determination  of  an  O-function' s cases,  and  to  justify  discre- 
tionary access  control. 

The  mathematical  notation  and  semantics  used  in  the 
validation  are  those  of  the  formal  specifications,  and  are 
described  in  §B  of  appendix  III  of  reference  Cl].  The  flow  of 
the  validation  is  maintained  by  the  use  of  clear  English  state- 
ments . 


2.2  Invariants 

Invariants  are  general  "relations",  or  conditions  involving 
variables  of  the  specification  which  hold  true  between  O-function 
invocations  (i.e.  between  system  states) . They  are  proved 
inductively  by  showing  that  each  O-function  preserves  each 
invariant  [3].  The  proofs  involve  inspection  of  the  effects 
section  of  the  relevant  O-functions. 
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2 . 3 Case  Tables 

The  purpose  of  the  case  tables  is  to  identify  the  object 
accesses  in  all  cases  of  the  specified  O-functions.  Each  case  is 
defined  by  a distinct  relationship  among  function  inputs,  and 
presents  the  protection  levels  of  all  variables  observed  and 
modified. 

An  inspection  of  a case  table  will  prove  that  the  protection 
level  of  each  modified  variable  dominates  the  levels  of  all 
observed  variables.  Certain  lemmas  may  be  required  to  clearly 
justify  the  dominance  relationship,  and  these  are  proved  by 
invariants  or  the  TRUE/FALSE  value  of  exception  conditions.  In 
subsection  5.2  it  is  explained  that  this  relationship  ensures  the 
satisfaction  of  non-discretionary  requirements. 

The  set  of  all  security-related  O-functions  is  partitioned 
in  such  a way  that  each  class  of  the  partition  consists  of 
O-functions  which  possess  analogous  case  tables.  That  is,  input 
parameters,  the  number  and  type  of  accesses  (observe  or  modify) , 
and  their  levels  are  the  same.  Then  the  case  tables  of  only 
certain  representatives  from  each  class  are  included  in  this  report, 
in  appendix  I. 
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III  DESIGN  FUNDAMENTALS 


The  specification  language  was  structured  to  facilitate  the 
validation  of  the  design.  The  semantics  of  the  symbols  used  in 
the  specifications  most  relevant  to  validation  are  summarized  in 
this  section. 

3.1  Objects 

Variables  in  the  specifications  represent  the  hidden  kernel 
entities,  directories,  sign-on  lists  and  the  component  entities 
of  data  base  and  user  working  area  objects.  Variables  correspond 
to  model  objects  since  each  possesses  an  identifier,  a protection 
level,  and  a value. 

The  identifier  of  a variable  is  constructed  in  such  a way  as 
to  indicate  the  characteristics  of  the  design  entity  it 
represents,  such  as: 

(i)  user,  kernel  or  data  base  environment 
(W,  K or  D)  ; 

(ii)  the  data  type  of  the  entity; 

(iii)  its  owner  (creator) ; 

(iv)  its  name  (for  use  in  W) ; 

(v)  the  kind  of  compound  object  of  which 
it  is  a part  (e.g.  string,  program, 
relation) ; and 

(vi)  its  protection  level. 

The  identifiers  of  variables  isolated  on  a user  basis 
(working  area  and  kernel)  do  not  include  owner  or  level 
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information,  since  they  are  "owned"  by  the  current  user,  and 
their  levels  are  stored  in  other  variables.  Their  name  is  a 
mnemonic  suggesting  their  role  in  the  design. 
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3.2  Protection  Level  Assignment 

Table  3.1  lists  the  protection  levels  which  are  assigned  to 
the  variables  in  the  specifications. 

The  mathematical  model  explicitly  gives  the  levels  of  the 
data  base  variables.  Directories  and  sign-on  lists  are  assigned 
the  level  of  their  contents.  The  level  of  a component  entity  of  a 
data  base  object  is  taken  to  be  the  level  component  of  its 
identifier . 

Variables  in  the  user's  working  area  will  assume  the  user's 
current  (SIGNON)  level.  This  is  because  they  may  be  both 
observed  and  modified  by  the  user. 

In  the  hidden  kernel  area,  certain  variables  contain  data 
describing  the  current  user,  or  his  activities.  Since  the  user 
set  this  data  (by  parameters)  it  will  be  assigned  his  current 
level.  These  variables  are  indicated  in  table  3.1  by  level 
"K_CUR_LEVEL" . The  reserve  table  reflects  successful 
reservation  requests.  The  space  quota  gives  the  current  session 
space  resources  of  the  user.  The  levels  of  the  accumulator  and 
temporaries  reflect  past  "level"  parameters.  The  current  time  is 
included  to  guarantee  its  correctness. 

The  levels  of  the  accumulator  and  temporaries  are  set  equal 
to  the  contents  of  K_LACC  and  K_LX  (Y  and  Z too)  respectively, 
since  that  is  their  purpose. 

The  open  table  is  a five  dimensional  boolean  array,  which  is 
partitioned  according  to  the  level  dimension.  That  is,  the  level 
of  each  part  of  the  open  table  is  the  level  of  the  objects  identified 
in  that  part,  unless  that  level  is  strictly  dominated  by  K_CUR_LEVEL. 
In  that  case  the  level  of  such  a part  is  taken  to  be  K_CUR_LEVEL 
[c. f . §4.1]. 
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Variable 


Identifier 


Level 


Database  (multi-level) 


directory 
sign-on  list 

exact  size 

format 

history 

permission  matrix 
open  list 
reserve  queue 
values 

maximum  size 
Kernel  (isolated) 


D_D( level) 
D_Q ( level ) 

D_E  ( o , n , t , 1 ) 
D_F ( o , n , t , 1 ) 
D_H ( o , n , t , 1 ) 
D_M ( o , n , t , 1 ) 
D_0 ( o , n , t , 1 ) 
D_R(o , n , t , 1) 
D_V ( o , n , t , 1 ) 
D Z (o  , n , t , 1) 


current  user  level 
current  user  identifier 
current  time 
session  space  quota 
reserve  table 
open  table 
accumulator  level 
accumulator  contents 
accumulator  format 
accumulator  values 
level  of  temporary 
temporary  contents 
temporary  format 
temporary  values 


K_CUR_LEVEL 

K_CUR_ID 

K_CUR_TIME 

K_CUR_QTA 

K_RE  SERVE 

K_OPEN 

K_LACC 

K_IACC 

K_FACC 

K_VACC 

K_LX  2 

K 1 X 2 

K Fx  2 

K V)( 


Working  area  (isolated) 


return  code  W_CODE 

relation  value  table  W_Vname 

relation  format  W Fname 


level 
leve  1 

1 

1 

1 

1 

1 

1 

1 

1 


K_CUR_LEVEL 

K_CUR_LEVEL 

K_CUR_LEVEL 

K_CUR_LEVEL 

K_CUR_LEVEL  i 

K CUR_LEVEL  OR  K_OPEN  [level] 

K_CUR_LEVEL 

K_LACC 

K_LACC 

K_LACC 

K_CUR_LEVEL 

K_LX 

K_LX 

K Lx 


K_CUR_LEVEL 

K_CUR_LEVEL 

K CUR  LEVEL 


Table  3.1  Protection  Level  Assignment 


1 The  dominating  level  is  assigned  to  each  part  of  the  open 
table . 


Y and  Z temporaries  as  well. 
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3.3  Object  Access 

The  accessing  of  objects  is  represented  in  the  specifications 
by  usage  of  a variable's  identifier.  An  observe  access  is 
represented  by  a variable's  appearance  in  a V-f unction  derivation, 
an  exception  condition,  or  on  the  right-hand  side  of  the  "arrow" 

(«-)  in  an  assignment  statement  in  an  effects  section.  A 
modification  access  is  represented  by  the  appearance  of  a variable 
on  the  left-hand  side  of  the  "arrow"  in  an  assignment  statement. 
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3.4  Subjects 

A subject  is  a process  associated  with  each  O-function 
invocation,  whose  sole  purpose  is  to  have  the  capability 
(authorization)  to  perform  the  observations  and  modifications 
required  by  the  effects  of  the  O-function. 

When  an  O-function  is  invoked,  one  subject  sets  the  return 
code  (W_CODE)  and  the  levels  of  the  accumulator  (K_LACC)  and 
temporaries  (K_LX,  K_LY  and  K_LZ) . The  level  of  this  subject  is 
K_CUR_LEVEL  [c.f.  table  3.1].  Another  subject  performs  all 
other  modifications.  An  inspection  of  the  case  tables  in 
appendix  I will  reveal  that  these  modifications  are  all  either  at 
level  " lv"  (a  parameter)  or  level  "LA"  (level  of  the  accumulator) , 
except  for  SIGNON,  SIGNOFF  and  MOVE.  Therefore  the  level  of  the 
second  subject  is  established  as  that  level. 

Since  the  three  exceptions  are  functions  which  perform 
multi-level  observations  and  modifications,  they  are  restricted 
to  be  performed  by  "trusted"  processes  such  as  the  user  control 
process  (UCP)  and  the  data  base  administrator  (DBA) . 
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IV  PROOF  OF  INVARIANTS 


4.1  Minimum  K-level 

4.1.1  Invariant 

K_LACC  K_CUR_LEVEL 
and 

K_Lx  yo  K_CUR_LE VE L , for  x = X,Y,Z. 

The  levels  of  the  kernel  accumulator  and  temporaries  always 
dominate  the  current  user's  level  (K_CUR_LEVEL) . 

4.1.2  Requirement 

This  invariant  ensures  that  parameter  data  (which  is  at 
level  K_CUR_LEVEL)  is  never  found  in  a kernel  entity  at  a 
strictly  dominated  level  (prohibits  "write-downs"). 

4.1.3  Proof 

An  inspection  of  the  case  tables  in  appendix  I will  reveal 
that  K_LACC  is  set  by  the  following  primitives: 

(i)  DKD , DKQ , LIST_ DOWN , and  WKB ; 

An  inspection  of  their  specifications  will 
reveal  that  the  level  K_LACC  effect  is: 

K_LACC  f K_CUR_LEVEL 

(ii)  DKE , DKH , DKM,  DKR,  DKV,  and  DKZ ; 

An  inspection  of  their  specifications  will 
reveal  that  the  level  K LACC  effect  is: 
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K_LACC  «-  LEV  IF  LEV  >°  K_CUR_LEVEL  ELSE  K_CUR_LEVEL 
where  LEV  is  the  level  parameter 


Clearly,  these  assignments  result  in  the  relation: 

K_LACC  >>  K_CUR_LEVEL 
( iii)  ASSIGN 

The  level  effect  statement  is: 

K_LACC  K_Lsource  IF  source  e {ACC,X,Y,Z}. 

An  inspection  of  the  case  tables  will  reveal 
that  only  the  ASSIGN  primitive  modifies  the 
temporaries  X,  Y and  Z.  The  function  of 
ASSIGN  is  such  that  data  can  be  assigned  to 
temporaries  from  two  sources  only: 

- the  kernel  accumulator;  or 

- a working  area  (W)  value. 

In  the  first  case: 

K_Lx  K_CUR_LEVEL,  x e {X,Y,Z}, 

by  the  conclusions  of  (i)  and  (ii) , since 
K_Lx  was  in  K_LACC  once. 

In  the  second  case,  K_Lx  is  not  modified,  so 
the  invariant  is  not  affected.  Therefore, 
K_LACC  >■’  K_CUR_LEVEL  if 
source  e {X,Y,Z}. 

If  source  = ACC,  there  is  no  change  in  K_LACC 
and  the  invariant  is  unaffected. 

If  source  i {ACC,X,Y,Z},  then  K_LACC  is  not 
changed,  so  the  invariant  is  unaffected. 

Note  that  the  assignment  of  a working  area 
value  will  occur  only  when  the  data  conforms 
to  the  format  data  in  the  kernel,  prohibiting 
assignment  of  values  only  to  null  kernel 
entities.  Therefore,  the  levels  of  the 
kernel  entities  will  dominate  the  values  by 
the  above  arguments. 
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(iv)  SIGNOFF 

The  effect  statements: 

K_LACC , K_Lx  • 0 , x £ ■ X , Y , Z } 

K_CUR_LEVEL  * 0 

trivially  satisfy  the  invariant. 


Q . E . D . 
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4.2  Open  Table 


4.2.1  Invariant 

Subscript  a variable  by  t to  indicate  its  value  in  the 
system  state  at  time  t.  Then: 

K_OPENt (owner , name , type , level , access)  = TRUE 

— - > 

K OPEN^_  i (owner  , name  , type  , level , access)  = TRUE 

OR 

(K_CUR_ID, access)  e (owner , name , type , level) 

OR 

K_CUR_ID  = owner 

If  an  object  has  some  access  granted  to  it  in  a user's  open 
table,  then  it  was  there  in  the  preceeding  system  state,  or  it 
was  authorized  in  the  object's  permission  matrix  in  the 
preceeding  state  (when  OPEN  was  requested) . 

4.2.2  Requirement 

This  invariant  assures  that  the  discretionary  authorization 
mechanisms  function  correctly. 
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4.2.3  Proof 


An  inspection  of  the  case  tables  in  appendix  I reveals  that 
only  0_APPEND,  0_DELETE  and  SIGNOFF  modify  K_OPEN.  Effects 
statements  in  0_DELETE  and  SIGNOFF  set  the  K_OPEN  entry  of 
interest  to  FALSE,  so  only  0_APPEND  is  relevant  to  this  invariant. 

There  are  two  possibilities: 

(i)  0_APPEND  was  invoked  at  time  (t-1) , 

producing  the  system  state  at  time  t; 

or  (ii)  0_APPEND  was  not  invoked  at  time  (t-1) . 

Suppose  0_APPEND  was  not  invoked  at  time  (t-1) . If 
K OPEN (owner , name , type , level , access)  = TRUE  at  time  t,  then  it 
must  be  TRUE  at  time  (t-1)  as  well,  since  K_OPEN  is  not  modified 
in  this  case. 

Otherwise,  suppose  0_APPEND  was  invoked  at  time  (t-1)  . If 
the  open  table  entry  of  interest  is  TRUE  at  time  (t-1)  , then 
0_APPEND  will  return  exception  code  "DO" , and  the  entry  will 
remain  unchanged  to  time  t. 

If  the  entry  is  FALSE  at  time  (t-1)  and  TRUE  at  time  t,  then 
exception  ND  = FALSE.  That  is,  by  the  derivation  of  the  ND 
exception : 

~(K_CUR_ID  ^ owner)  a ( (K_CUR_ID,  x)  e D_M  ^(id)) 

(K_CUR_ID  = owner)  v (3x (K  CUR_ID , x)  e D_Mt_1(id)) 

Effect  [1]  of  0_APPEND  states: 

K OPEN  (Access  set  0(id))=  TRUE 
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Access_set_0  returns  the  set  of  tuples  S: 

S = { ( id , x)  : (OWN  = K_CUR_ID)  v (K_CUR_ID,x)  e } 

by  the  derivation  of  the  Access_set_0  and  Aith_0 
V-functions.  The  "access"  in  the  invariant  is 
one  of  these  x's,  since  these  are  the  accesses 
authorized. 


Q.E.D. 
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4.3  Identification 


4.3.1  Invariant 

D V(id)  e K Vx  and  D F(id)  e K Fx 


K_Ix  = id,  for  x = ACC,X,Y,Z. 

At  all  times  the  identifiers  (i.e.  K_IACC,  K_IX,  K_IY,  K_IZ) 
of  the  contents  of  the  kernel  accumulator  and  temporaries  are  a 
correct  indication  of  the  identity  of  their  contents. 

4.3.2  Requirement 

This  invariant  is  required  for  discretionary  authorization, 
to  ensure  that  data  cannot  masquerade  when  being  presented  to  a 
user  (KWA)  or  copied  to  the  data  base  (KD...) . 

4.3.3  Proof 

An  inspection  of  the  case  tables  in  appendix  I will  reveal 
that  K_IACC  is  modified  by  the  O-functions  in  table  4.1.  An 
inspection  of  the  K^IACC  effect  in  each  function  specification 
(included  in  table  4.1)  will  reveal  that  it  is  appropriate  for 
the  function. 

Since  only  ASSIGN  affects  the  temporaries,  they  contain  only 
data  previously  in  the  accumulator.  Assigning  a user  working 
area  value  to  the  values  component  of  the  accumulator  or  a 
temporary  does  not  affect  its  identity. 
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Q.E . D. 


Primitive 

Identification  Effect 

DKD 

K_IACC  «-  ( K_CUR_I  D , ' D ' , ' R ' , 1 v , ' V ' ) 

DKQ 

K_IACC  «-  ( K_CUR_I  D , ' Q ' , ' R ' , 1 v , ' V ' ) 

LIST_DOWN 

K_IACC  <-  (K_CUR_ID,DEF_NAME , ' R' ,K_CUR_LEVEL, ' V' ) 

DKC 

K_I  ACC  (id,C)  , C e {E  , H , M , R , V , Z } 

ASSIGN 

K_Itarget  K_Isource  IF  source  e {ACC,X,Y,Z} 

WKB 

K_IACC  f (K_CUR_ID , n , ' S ' , K_CUR_LEVEL , ' V ' ) 

SIGNOFF 

K_IACC  •*-  0 

Table 

4.1  Table  of  Identification  Data 
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V JUSTIFICATION  OF  PROTECTION 


5.1  Non-discretionary  Policy 

The  secure  DMS  has  been  designed  in  such  a way  that  there  is 
no  modification  access  without  an  observation  access,  and  vice 
versa . 

An  O-function  execution  involves  two  subjects:  One  executes 

at  the  single  level  of  the  data  being  modified,  and  performs  all 
effects  except  the  setting  of  W__CODE , K_LACC , K_LX,  K_LY  and 
K_LZ . (This  is  "Subject  2"  in  appendix  I.)  The  other  subject 
executes  at  the  user's  current  level  (K_CUR_LEVEL)  , and  sets  them 
( " Subject  1" ) . 

Therefore,  the  first  four  (non-discretionary)  model  axioms 
[c.f.  § 2.1]  are  maintained  by  the  specifications  if  it  can  be 

proved  that  for  each  O-function,  the  level  of  the  modified 
variables  dominates  the  levels  of  all  observed  variables,  for 
each  subject.  This  follows  from  the  definition  of  protection 
levels  and  protection  dominance  [2]. 

The  representative  sample  of  case  tables  in  appendix  I do 
indeed  prove  that  this  is  true  for  every  O-function  except 
SIGNON,  SIGNOFF  and  MOVE. 

Since  the  three  exceptions  violate  the  axioms,  each  must  be 
executed  by  a special  process,  "trusted"  to  perform  its 
function  correctly.  The  user  control  process  (UCP)  executes 
SIGNON  and  SIGNOFF  in  response  to  a human  user's  request.  MOVE 
may  be  invoked  only  by  the  data  base  administrator's  process. 
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These  "trusted"  processes  are  required  to  execute  at  the 
system-high  protection  level,  and  therefore  maintain  at  least 
the  simple  security  [c.f.  § 2.1]  and  indirect  "contamination" 
axioms . 


22 


5.2  Tranquility  Principle 

It  is  assumed  that  the  protection  levels  of  the  subjects 
performing  the  O-function  effects  remain  constant. 

Variables  in  the  user  working  area  are  tranquil  for  the 
following  reasons: 

(i)  they  are  completely  isolated  from 
other  users ; and 

(ii)  their  level,  K_CUR_LEVEL  (by 

definition) , is  modified  only  by 
SIGNON  (initialized)  and  SIGNOFF 
(purged) . 

In  the  data  base,  the  protection  level  of  an  object  is  a 
parameter  of  the  access  (by  the  structure  of  identifiers 
Lc.f.  § 3.1]).  Each  different  level  parameter  indicates  a 
different  object  is  to  be  accessed.  Additionally,  the  design 
allows  no  movement  of  identifiers  from  one  directory  to  another. 

Isolation  of  the  kernel  working  area,  and  the  constancy  of 
K_CUR_LEVEL  ensure  that  the  following  kernel  entities  maintain  a 
constant  protection  level: 

K CUR  LEVEL,  K_CUR_ID,  K_CUR_QTA , 

K_CUR_TIME'  K_OPEN , K_RESERVE , 

K LACC , K LX , K_LY , K_LZ. 

However,  the  level  of  the  contents  of  the  accumulator  or  a 
temporary  may  be  changed  by  various  O-functions.  This  apparent 
violation  of  tranquility  is  acceptable  for  the  following  reasons 
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(i)  an  inspection  of  the  case  tables  in 

appendix  I will  reveal  that  every  modifi- 
cation of  K_LACC,  K LX,  K_LY  or  K_LZ  has 
an  associated  modification  of  K_VACC, 

K_VX,  K_VY  or  K_VZ , respectively;  and 

(ii)  this  modification  is  specified  by  means  of 
an  assignment  statement,  which  requires 
the  previous  contents  of  the  accumulator 
to  be  purged  upon  re-assignment  (by 
definition) . 


In  conclusion,  it  is  evident  that  the  tranquility  principle 
of  the  model  is  maintained. 
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5.3  Discretionary  Authorization 

Discretionary  authorization  policy  requires  explicit 
permission  to  have  been  extended  before  a user  may  access  a data 
base  object. 

The  primitive  function  which  establishes  such  permission  is 
KDM.  An  inspection  of  its  specification  [1]  will  prove  its 
correctness.  That  is,  the  "NO"  exception  ensures  that  there  is 
discretionary  authorization  to  extend  discretionary  authorization. 
This  is  made  possible  by  defining  ownership  of  a variable 
(indicated  in  its  identifier)  to  imply  complete  discretionary 
authorization.  The  " IC"  and  "IV"  exceptions  ensure  that  the 
accumulator  contains  the  appropriate  permission  matrix. 

The  only  means  of  transferring  data  base  objects  to  the 
user  is  by  means  of  the  KWA  primitive,  and  the  Discre tionary_kwa 
V-function  checks  for  appropriate  authorization.  The  Open  Table 
[c.f.  § 4.2]  and  Identification  [c.f.  § 4.3]  invariants  ensure 

that  the  mechanisms  involved  in  this  check  function  correctly. 

The  only  means  of  storing  data  in  the  data  base  is  by  means 
of  the  WDV,  KDM  and  KDV  O-functions.  The  NO  exception  in  each 
of  these  functions  checks  for  discretionary  authorization. 

The  Open  Table  and  Identification  invariants  ensure  that  all 
data  in  the  hidden  kernel  area  is  correctly  subject  to 
discretionary  authorization. 

Table  5.1  summarizes  the  discretionary  authorization 
mechanisms  in  the  O-functions,  leading  to  the  conclusion  that  the 
discretionary  authorization  model  axiom  is  maintained. 
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Primitive 

Discretionary 

Authorization 

Primitive 

Discretionary 

Authorization 

1. 

APP  DIR 

directory  is  exempt 

DKM 

NO  exception 

2. 

DEL  DIR 

directory  is  exempt 

DKQ 

signon  list  is  exempt 

3. 

REP  DIR 

directory  is  exempt 

DKR 

NO  exception 

4. 

IN  IT 

ownership 

DKV 

NO  exception 

5. 

DESTROY 

ownership 

DKZ 

NO  exception 

6. 

RES 

NO  exception 

WKB 

ownership 

7. 

REQ 

NO  exception 

KDM 

NO  exception 

8. 

REL 

RS  exception 

KDV 

NO  exception 

9 . 

SIGN ON 

trusted  process 

KDZ 

ownership 

10. 

SIGNOFF 

trusted  process 

WDV 

NO  exception 

11. 

0 APPEND 

ND  exception 

KWA 

Discretionary  kwa 

12. 

0 DELETE 

NO  exception 

PROJECTW 

ownership 

13. 

APPEND 

hidden 

SELECTW 

ownership 

14. 

ASSIGN 

hidden 

APPENDW 

ownership 

15. 

CON CAT 

hidden 

CROSS 

ownership 

16. 

EXTRACT 

hidden 

ARITH 

ownership 

17. 

SELECT 

hidden 

ASSIGNW 

ownership 

18. 

PROJECT 

hidden 

SIZE 

ownership 

19. 

LIST  DOWN 

exemption 

APFOR 

ownership 

20. 

DKD 

directory  is  exempt 

DIFF 

ownership 

21. 

DKE 

NO  exception 

MOVE 

directory  is  exempt 

22. 

DKH 

NO  exception 

Table  5.1  Discretionary  Authorization  Relevant 
to  Each  O-function 
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A. 1.1  Introduction 


This  appendix  contains  detailed  case  tables  [c.f.  § 2.3]  for 

certain  O-function  specifications.  For  each  such  O-function  the 
following  is  included: 

(i)  its  formal  specification  from  appendix  IV  of 
reference  [1]; 

(ii)  flow  diagrams  illustrating  the  cases  for  each  of 
the  two  subjects  [c.f.  § 3.4]  performing  the 
O-function;  and 

(iii)  its  set  of  case  tables.  The  purpose  of  each  case 
table  is  to  prove  that  the  level  of  each  modified 
variable  dominates  the  levels  of  all  variables 
observed  in  that  case. 

The  security  related  primitives  are  the  only  ones  requiring 
certification,  and  these  may  be  categorized  according  to  analogous 
case  tables.  The  case  tables  for  a representative  sample  of 
O-functions  is  included  in  this  appendix.  The  sample  consists  of 
at  least  one  O-function  from  each  category  (subsection  A. 1.3). 

Three  primitive  functions  break  some  of  the  rules  of  the 
"strict"  protection  policy,  but  they  are  essential  for  computerized 
data  management.  These  are  SIGNON,  SIGNOFF  and  MOVE,  and  their  case 
tables  are  found  in  subsection  A. 1.4. 
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A. 1.2  Notation  Used  in  Case  Tables 


The  symbols  and  mnemonics  used  in  the  case  tables  are  taken 
from  the  formal  specifications,  and  are  described  in  appendicies 
III  and  IV  of  reference  [1]. 


Additionally , 

the  following  abbreviations  are  used: 

abbreviation 

meaning 

W 

- User's  current  protection  level  (K  CUR  LEVEL) 

LA 

- Level  of  the  kernel  accumulator 

LX 

- Level  of  a kernel  temporary 

L1  r L2 

- The  dominant  level  of  L^  and  L 2 

L1  L L2 

- The  dominated  level  of  L^  and  L 2 

id [ LEV] 

- The  level  component  of  the  identifier 

LEV 

- An  abbreviation  for  id[LEV] 

ACC 

- Kernel  accumulator 

UCP 

- User  Controller  Process 
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A. 1.3  The  Sample  Validations 

The  set  of  all  security- related  O-functions  are  categorized 
below  according  to  analogous  case  tables.  Those  whose  case 
tables  are  found  in  this  section  are  so  indicated. 


Category 

Case  Tables 
Included 

Not  Included 

Directory  manipulation 

APP_DIR 

DEL_DIR,  REP_DIR 

Object  existence 

INIT 

DESTROY 

Object  reservation 

REQ 

RES,  REL 

Access  authorization 

0_APPEND 

0_DELETE 

Accumulator 

manipulation 

APPEND,  CONCAT 

ASSIGN, 

EXTRACT,  SELECT, 
PROJECT,  LIST_DOWN 

Transfer  to 
accumulator 

DKD , DKE 

DKH , DKM , DKQ , 
DKR,  DKV,  DKZ 

Transfer  to  data  base 

KDM,  KDV,  KDZ 

WDV 

Working  area 

KWA 

WKB 

Access  DMS 

SIGN ON,  SIGNOFF 

Data  base 

administrator 

MOVE 

Table  A. 1.1  Table  of  O-function  Categories 
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APP  DIR 
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PRIMITIVE ; APP_DIR  CASE : 1 SUBJECT:  1 

CONDITIONS:  IR 

Register  attempted  at  level  not  strictly  dominated 
by  that  of  the  definition  entry. 


OBSERVED 

LEVEL 

MODIFIED 

LEVEL 

PARAMETERS:  lv>  n<  ±z 

w 

W_CODE 

W 

CONSTANTS:  ^ 

Unclass 

O,  IR 

VARIABLES: 

HIGHEST  LEVEL  OBSERVED: 

w 

LOWEST  LEVEL  MODIFIED: 

W 

PRIMITIVE : APPJDIR  CASE  : 2 SUBJECT:  1 

CONDITIONS:  (~IR)  a IL 

Directory  level  does  not  strictly  dominate  the  user's 
current  level. 


OBSERVED 

LEVEL 

MODIFIED 

LEVEL 

PARAMETERS:  ly  # n#  t/  lz 

w 

W_CODE 

W 

CONSTANTS:  Q IL 

Unclass 

VARIABLES: 

K CUR  LEVEL 

HIGHEST  LEVEL  OBSERVED: 

w 

LOWEST  LEVEL  MODIFIED: 

W 
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PRIMITIVE : APP  DIR 


CASE ; 3 


SUBJECT:  1 


CONDITIONS : (~IR)  a (~IL)  a (W=1v)  a DD 

The  directory  entry  already  exists. 


OBSERVED 

LEVEL 

MODIFIED 

LEVEL 

PARAMETERS:  lv,  n,  t,  lz 

w 

W_CODE 

W 

CONSTANTS : 

Unclass 

0,  DD 

VARIABLES:  K CUR  LEVEL 

w 

D D ( lv) 

lv=W 

K_CUR_ID 

w 

HIGHEST  LEVEL  OBSERVED: 

w 

LOWEST  LEVEL  MODIFIED: 

W 

PRIMITIVE:  APP_DIR  CASE : 4 SUBJECT:  1 

CONDITIONS : (~IR)  a (~IL)  a (W=1v)  a (~DD) 

No  exceptions. 


OBSERVED 

LEVEL 

MODIFIED 

LEVEL 

PARAMETERS: 

lv,  n,  t,  lz 

w 

W_CODE 

W 

CONSTANTS : 

0,  DN 

Unclass 

VARIABLES: 

K CUR  LEVEL 
D D ( lv) 
K_CUR_ID 

w 

lv=W 

W 

HIGHEST  LEVEL 

OBSERVED: 

w 

LOWEST  LEVEL  MODIFIED: 

W 
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PRIMITIVE  : APP  DIR  CASE  i SUBJECT;  2 

CONDITIONS : (~IR)  a (~IL)  a (~DD) 

No  exceptions 


OBSERVED 

LEVEL 

MODIFIED 

LEVEL 

PARAMETERS: 

lv,  n,  t,  lz 

w 

D_D  (lv) 

lv 

CONSTANTS : 

0,  DN 

Unclass 

VARIABLES: 

K CUR  LEVEL 

K CUR  ID 
D_D  (lv) 

w 

w 

lv 

HIGHEST  LEVEL  OBSERVED: 

lv 

LOWEST  LEVEL  MODIFIED: 

lv 

LEMMA:  lv  >*  W 

PROOF:  ~IL 
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i-function  INIT  (n,  t,  lv,s) 
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PRIMITIVE 


INIT 


CASE;  1 


SUBJECT:  i 


CONDITIONS:  IL 

Level  of  object  to  be  initialized  does  not 
dominate  user's  current  level. 


OBSERVED 

LEVEL 

MODIFIED 

LEVEL 

PARAMETERS: 

W 

n , t , lv, s 

W_CODE 

W 

CONSTANTS : 

Unclass 

IL 

VARIABLES: 

K_C  U R_LE  VE  L 

W 

HIGHEST  LEVEL  OBSERVED: 

w 

LOWEST  LEVEL  MODIFIED: 

W 

PRIMITIVE : INIT  CASE : 2 SUBJECT:  1 

CONDITIONS  : (~IL)  a (W=1v)  a DE 

Object  is  not  defined  in  the  directory,  and 
the  object  level  equals  the  user's  current  level. 


OBSERVED 

LEVEL 

MODIFIED 

LEVEL 

PARAMETERS  : 

n , t , lv, s 

w 

W_CODE 

W 

CONSTANTS : 

Unclass 

ZERO,  DE 

VARIABLES: 

K CUR  LEVEL 
K CUR  ID 
D_D  ( lv) 

W 

W 

lv=W 

HIGHEST  LEVEL  OBSERVED: 

w 

LOWEST  LEVEL  MODIFIED: 

w 
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PRIMITIVE:  INIT  CASE:  3 SUBJECT: 

CONDITIONS : (~il)  a (W=1v)  a (~DE)  a DD 

The  object  has  been  previously  initialized 


OBSERVED 

LEVEL 

MODIFIED 

LEVEL 

PARAMETERS: 

w 

n, t, lv,s 

W_CODE 

w 

CONSTANTS : 

Unclass 

ZERO,  DD 

VARIABLES: 

K CUR  LEVEL 

w 

K CUR  ID 

w 

D D ( lv) 

lv=W 

D-E (id) 

lv=W 

HIGHEST  LEVEL  OBSERVED: 

LOWEST  LEVEL  MODIFIED: 

w 

w 

PRIMITIVE:  INIT  CASE : 4 SUBJECT:  1 

CONDITIONS : (~IL)  a (W=1v)  a (~DE)  a (~DD)  a SZ 

The  requested  size  exceeds  user's  current  quota 


OBSERVED 

LEVEL 

MODIFIED 

LEVEL 

PARAMETERS  : 

n , t , lv , s 

W 

W_CODE 

W 

CONSTANTS  : 

ZERO , SZ 

Unclass 

VARIABLES: 

K CUR  LEVEL 
K CUR  ID 
D D ( lv) 

D E (id) 
K_CUR_QTA 

w 

w 

lv=W 

lv=W 

W 

HIGHEST  LEVEL 

OBSERVED: 

w 

LOWEST  LEVEL  MODIFIED: 

W 
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PRIMITIVE:  INIT 


CASE : 5 


SUBJECT:  1 


CONDITIONS:  (~IL)  a (w=1v)  a (~DE)  a (~DD)  a (~SZ) 

No  exceptions. 


OBSERVED 

LEVEL 

MODIFIED 

LEVEL 

PARAMETERS : 

w 

W_CODE 

w 

CONSTANTS:  ZERO,  0,  DN 

Unclass 

VARIABLES: 

K CUR  LEVEL 
K CUR  ID 
D D( lv) 

D E (id) 

K CUR  QTA 

K_CUR_TIME 

w 

w 

lv=w 

lv=W 

w 

w 

HIGHEST  LEVEL  OBSERVED: 

w 

LOWEST  LEVEL  MODIFIED: 

w 

PRIMITIVE:  INIT  CASE:  6 SUBJECT:  1 

CONDITIONS : (~IL)  a (W^lv) 

The  object  is  initialized  at  a strictly 
dominating  level. 


OBSERVED 

LEVEL 

MODIFIED 

LEVEL 

PARAMETERS:  ^ , 

w 

_,3 

n,t,lv,s 

VT 

CONSTANTS : 

Unclass 

VARIABLES: 

K_CUR_LE VE  L 

W 

HIGHEST  LEVEL  OBSERVED: 

w 

LOWEST  LEVEL  MODIFIED: 

w 

Note  that  this  is  the  "null"  modification,  that  is,  W_CODE 
is  set  in  such  a way  that  it  signals  that  " lv  strictly 
dominates  K CUR  LEVEL" , by  ~IL. 
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PRIMITIVE:  INIT 


CASE:  1 SUBJECT:  2 


CONDITIONS : (~IL)  a (~DE)  a (~DD)  a (~SZ)  a (W=1v) 

No  exceptions.  Initialize  object  at  user's 
current  level. 


OBSERVED 

LEVEL 

MODIFIED 

LEVEL 

PARAMETERS: 

n , t , lv, S 

w 

D E ( id) 

D H (id) 

D Z ( id) 
K_CUR  QTA 

lv=W 

lv=W 

lv=W 

W 

CONSTANTS : 

ZERO,  0,  DN 

Unclass 

VARIABLES : R CUR 

K CUR  ID 
D D ( lv) 

D E ( id) 

K CUR  QTA 

K_CUR_TIME 

W 

W 

lv=W 

lv=W 

W 

w 

HIGHEST  LEVEL  OBSERVED: 

w 

LOWEST  LEVEL  MODIFIED: 

w 

PRIMITIVE : INIT  CASE : 2 SUBJECT:  2 

CONDITIONS:  (~IL)  a (~DE)  a (~DD)  a (~SZ)  a (W^lv) 

No  exceptions.  Initialize  object  at  level 
strictly  dominating  user's  current  level, 
giving  it  zero  size. 


OBSERVED 

LEVEL 

MODIFIED 

LEVEL 

PARAMETERS : 

n , t , lv , S 

w 

D E ( id) 
D H ( id) 
D_Z (id) 

lv 

lv 

lv 

CONSTANTS  : 

ZERO,  0,  DN 

Unclass 

VARIABLES: 

K CUR  LEVEL 

w 

K CUR  ID 

w 

D D ( lv) 

lv 

D E ( lv) 

lv 

K CUR  QTA 

K_CUR_TIME 

W 

HIGHEST  LEVEL 

OBSERVED: 

lv 

LOWEST  LEVEL  MODIFIED: 

lv 

Lemma : lv)°W 

Proof:  ~IL  41 


object  (at  the  current  level)  if  it' 
If  not,  wait  until  it  is  available 
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The  open  table  is  a five-dimensional  array,  with  the  "level"  dimension 
assuming  a lattice  structure. 


REQ 


Subject  2 
(at  level  W) 
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PRIMITIVE ; REQ 


CASE : 1 


SUBJECT:  1 


CONDITIONS : NO 

Object  is  not  open. 


OBSERVED 

LEVEL 

MODIFIED 

LEVEL 

PARAMETERS : 

o,n,  t 

w 

W_CODE 

W 

CONSTANTS : 

Unclass 

RSRV,  NO 

VARIABLES: 

K CUR  LEVEL 
K_OPEN 

w 

w5 

HIGHEST  LEVEL  OBSERVED: 

w 

LOWEST  LEVEL  MODIFIED: 

W 

PRIMITIVE : req  CASE : 2 SUBJECT:  1 

CONDITIONS:  (~N0)  a RS 

User  already  has  object  reserved. 


OBSERVED 

LEVEL 

MODIFIED 

LEVEL 

PARAMETERS  : 

o , n , t 

w 

W_CODE 

W 

CONSTANTS: 

Unclass 

RSRV,  RS 

VARIABLES: 

K CUR  LEVEL 

W5 

K OPEN 

w5 

K_RE  SERVE 

W 

HIGHEST  LEVEL  OBSERVED: 

W 

LOWEST  LEVEL  MODIFIED: 

W 

Note  that  reservation  is  restricted  to  a user's  current  level. 
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PRIMITIVE 


REQ 


CASE : 3 


SUBJECT 


1 


CONDITIONS:  (~NO)  a (~RS)  a DL 

~ Object  is  reserved  by  another  user,  and  to  queue  for 
it  would  risk  deadlock. 


OBSERVED 

LEVEL 

MODIFIED 

LEVEL 

PARAMETERS: 

w 

o , n , t 

W_CODE 

w 

CONSTANTS : 

Unclass 

RSRV , 0,  DL 

VARIABLES: 

K CUR  LEVEL 

W 

K OPEN 

W 

K RESERVE 

w 

D_R ( id) 

w 

HIGHEST  LEVEL  OBSERVED: 

w 

LOWEST  LEVEL  MODIFIED: 

W 

PRIMITIVE:  CASE : 4 SUBJECT:  ± 

CONDITIONS : ^N0)  A (~rs)  a (~DL) 

No  exceptions 


OBSERVED 

LEVEL 

MODIFIED 

LEVEL 

PARAMETERS:  _ _ 

~ Vj  / 11  / C 

w 

W_CODE 

W 

CONSTANTS  : 

Unclass 

RSRV,  0,  DN 

VARI ABIES: 

K CUR  LEVEL 

W 

K OPEN 

W 

K RESERVE 

w 

D_R (id) 

w 

w 

HIGHEST  LEVEL  OBSERVED: 

w 

LOWEST  LEVEL  MODIFIED: 

W 

PRIMITIVE: 


REQ 


CASE  i 


SUBJECT:  2 


CONDITIONS  : (~NO)  a (~RS)  a (~DL) 

No  exceptions.  Reserve  object  on  behalf  of  user. 


OBSERVED 

LEVEL 

MODIFIED 

LEVEL 

PARAMETERS: 

w 

o , n , t 

K_RE  SERVE 

W 

CONSTANTS:  „ 

RSRV,  0,  DN 

Unclass 

D_R ( id) 

W 

VARIABLES: 

K CUR  LEVEL 

w 

K OPEN 

w 

K RESERVE 

w 

D R (id) 

w 

K_CUR_ID 

w 

- 

HIGHEST  LEVEL  OBSERVED: 

w 

LOWEST  LEVEL  MODIFIED: 

w 
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(iii)  V- function  Opened  0( id)  : boolean 
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0 APPEND 
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PRIMITIVE : 0_APPEND  CASE : 1 SUBJECT:  1 

CONDITIONS : il 

User's  current  level  and  object  level  are  incomparable. 


OBSERVED 

LEVEL 

MODIFIED 

LEVEL 

PARAMETERS:  . , 
id 

w 

W_CODE 

w 

CONSTANTS : 

Unclass 

IL 

VARIABLES: 

K_CU  R_LE  VE  L 

W 

HIGHEST  LEVEL  OBSERVED: 

W 

LOWEST  LEVEL  MODIFIED: 

w 

PRIMITIVE : 0 APPEND  CASE : 2 SUBJECT:  l 

CONDITIONS : (~IL)  a (W  y>  LEV)  a DO 

Object  is  open  already. 


OBSERVED 

LEVEL 

MODIFIED 

LEVEL 

PARAMETERS  : 

id 

w 

W_CODE 

w 

CONSTANTS  : 

DO 

Unclass 

VARIABLES:  _ 

K CUR  LEVEL 

K_OPEN [ LEV ] 

w 

LEV 

HIGHEST  LEVEL  OBSERVED: 

w 

LOWEST  LEVEL  MODIFIED; 

W 
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PRIMITIVE : q APPEND 


CASE:  3 


SUBJECT:  l 


CONDITIONS : ^tt.1  a (W  V LEV)  a (~DO)  a NE 
Non-existent  object 


OBSERVED 

LEVEL 

MODIFIED 

LEVEL 

PARAMETERS:  id 

w 

W_CODE 

W 

CONSTANTS : 

Unclass 

. 

NE 

VARIABLES: 

K CUR  LEVEL 

w 

K OPEN[ LEV] 

LEV 

D_E (id) 

LEV 

HIGHEST  LEVEL  OBSERVED: 

W 

LOWEST  LEVEL  MODIFIED: 

W 

PRIMITIVE:  Q APPEND  CASE:  4 SUBJECT:  x 

CONDITIONS : (~IL)  A (w  y LEV)  a (~DO)  a (~NE)  a ND 

User  has  no  discretionary  authorization. 


OBSERVED 

LEVEL 

MODIFIED 

LEVEL 

PARAMETERS: 

id 

w 

W_CODE 

W 

CONSTANTS  : 

Unclass 

ND 

VARIABLES: 

w 

K CUR  LEVEL 

K OPENtLEV] 

LEV 

D E (id) 

LEV 

K CUR  ID 

W 

D_M (id) 

LEV 

HIGHEST  LEVEL  OBSERVED: 

W 

LOWEST  LEVEL  MODIFIED: 

W 
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PRIMITIVE : 0_APPEND  CASE : 5 SUBJECT:  1 

CONDITIONS : (~jl)  a (W  > LEV)  a (~DO)  a (~NE)  a (~ND) 

No  exceptions. 


OBSERVED 

LEVEL 

MODIFIED 

LEVEL 

PARAMETERS : 

w 

id 

W_CODE 

W 

CONSTANTS  : APCY , EXPMf  RDHS . RDPM 

Unclass 

RDSZ , RETR,  RSRV,  STOR 

DN 

VARIABLES: 

K CUR  LEVEL 

w 

K OPENlLEV] 

LEV 

D E (id) 

LEV 

K CUR  ID 

W 

D M (id) 

LEV 

HIGHEST  LEVEL  OBSERVED: 

W 

LOWEST  LEVEL  MODIFIED: 

W 

PRIMITIVE : 0_APPEND 

CONDITIONS:  (~IL)  a (~DO) 

No  exceptions 


CASE : 1 SUBJECT: 

a (~NE ) a (~ND)  a (LEV W) 

for  a strictly  dominated  object. 


2 


OBSERVED 

LEVEL 

MODIFIED 

LEVEL 

PARAMETERS : 

w 

id 

K_OPEN 

W 

CONSTANTS:  EXPM,  RDHS, 

Unclass 

RDPM,  RDSZ,  RETR,  RSRV,  STOR,  DN 

VARIABLES: 

K CUR  LEVEL 

w 

K OPEN [LEV] 

LEV 

D E (id) 

LEV 

K CUR  ID 

W 

D_M (id) 

LEV 

HIGHEST  LEVEL  OBSERVED: 

W 

LOWEST  LEVEL  MODIFIED: 

W 
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PRIMITIVE 


0 APPEND 


CASE  2 


SUBJECT;  2 


CONDITIONS : (~IL)  a (~DO)  a (~NE)  a (~ND)  a (LEV>=*W) 

No  exceptions.  Level  of  object  being  opened 
dominates  user's  current  level. 


OBSERVED 

LEVEL 

MODIFIED 

LEVEL 

PARAMETERS: 

w 

id 

D_0 (id) 

LEV 

CONSTANTS : 

APCY,  EXPM,  RDHS , 

Unclass 

RDPM,  RDSZ , RETR,  RSRV,  STOR,  DN 

K_OPEN[ LEV] 

LEV 

VARIABLES: 

K CUR  LEVEL 

w 

K OPENC LEV] 

LEV 

D E (id) 

LEV 

K CUR  ID 

W 

D_M ( id) 

LEV 

- 

HIGHEST  LEVEL  OBSERVED: 

LEV 

LOWEST  LEVEL  MODIFIED: 

LEV 
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APPEND 


(start) 


Subject  1 
(at  level  W) 


W_CODE  DN 

W CODE  <-  IL 


X 1 

( 

W_CODE  IT 

\ 

END  J 


Q END  ) 


W CODE  IC 


W CODE 

4r  IV 

( END  ) 


( END  ) 


(start) 


N 

Y X 

APPEND 
TO  K_VACC 

G™l) 


( end  ) 


Subject  2 
(at  level  LA) 
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PRIMITIVE:  APPEND  CASE:  1 SUBJECT:  1 

CONDITIONS:  (xt)  e {X,Y,Z})  a (W  >»  LA)  a IL 

xt  is  a kernel  temporary.  However,  its  level 
is  not  dominated  by  the  accumulator  level. 


OBSERVED 

LEVEL 

MODIFIED 

LEVEL 

PARAMETERS : 

w 

xt(name  of  temporary) 

W CODE 

w 

CONSTANTS : 

Unclass 

IL 

VARIABLES: 

K CUR  LEVEL 

W 

K LACC 

W 

K_Lxt 

W 

HIGHEST  LEVEL  OBSERVED: 

w 

LOWEST  LEVEL  MODIFIED: 

W 

LEMMA:  LA  = W 

PROOF:  W LA  and  Minimum  K-level  Invariant  [c.f.  i 4.1]. 


PRIMITIVE:  APPEND  CASE : 2A  SUBJECT:  1 

CONDITIONS:  (xt  c {X,Y,Z})  a (W  = LA)  a (~IL)  a IT 

APPEND  cannot  be  used  with  strings. 


OBSERVED 

LEVEL 

MODIFIED 

LEVEL 

PARAMETERS: 

xt ( temporary) 

W 

W_CODE 

w 

CONSTANTS : 

'S’ , IT 

Unclass 

VARIABLES: 

K CUR  LEVEL 
K LACC 
K Lxt 
K_IACC 

W 

W 

W 

LA  = W 

HIGHEST  LEVEL  OBSERVED: 

w 

LOWEST  LEVEL  MODIFIED: 

W 
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PRIMITIVE : APPEND 


CASE 


2B 


SUBJECT: 


1 


CONDITIONS:  (xt  i {X,Y,Z})  a (W  = LA)  a (~IL)  a IT 

xt  is  a value  in  the  user's  working  area. 
Attempted  to  append  this  to  a string  in  the 
accumulator . 


OBSERVED 

LEVEL 

MODIFIED 

LEVEL 

PARAMETERS : 

w 

W CODE 

w 

xt (value) 

CONSTANTS : 

Unclass 

'S’ , IT 

VARIABLES: 

K CUR  LEVEL 
K LACC 
K_IACC 

W 

W 

LA=W 

HIGHEST  LEVEL  OBSERVED: 

w 

LOWEST  LEVEL  MODIFIED: 

PRIMITIVE : APPEND  CASE : 3A  SUBJECT:  1 

CONDITIONS:  (xt  e X,Y,Z  ) a (W  = LA)  a (~il)  a (~iT)  a ic 

xt  is  a kernel  temporary.  The  domains  of 
xt  do  not  conform  to  those  in  the  accumulator. 


OBSERVED 

LEVEL 

MODIFIED 

LEVEL 

PARAMETERS: 

w 

xt (temporary) 

W_CODE 

w 

CONSTANTS  : 

Unclass 

' DTYPE ' , ' S' , IC 

VARIABLES : 

K CUR  LEVEL 

W 

K LACC 

W 

K Lxt 

w 

K IACC 

LA=W 

K Fxt 

LX 

K_FACC 

X 

HIGHEST  LEVEL  OBSERVED: 

W 

LOWEST  LEVEL  MODIFIED: 

W 

LEMMA:  LX  = W 

PROOF:  (~IL)  =>  LA  >«=»  LX 

W = LA=>W)°  LX 
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PRIMITIVE:  APPEND 


CASE : 3B 


SUBJECT: 


1 


CONDITIONS : (xt  i {X,Y,Z})  a (W  = LA)  a (~IL)  a (~IT)  a IC 

xt  is  a user  working  area  value  which  does 
not  conform  to  the  accumulator  contents. 


OBSERVED 

LEVEL 

MODIFIED 

LEVEL 

PARAMETERS : 

w 

xt (value 

W CODE 

W 

CONSTANTS : 

Unclass 

' DTYPE ' , ' S ' , IC 

VARIABLES: 

K CUR  LEVEL 

W 

K LACC 

W 

K IACC 

LA=W 

K FACC 

W 

K_Fxt 

W 

HIGHEST  LEVEL  OBSERVED: 

W 

LOWEST  LEVEL  MODIFIED: 

W 

PRIMITIVE : APPEND  CASE : 4A  SUBJECT:  1 

CONDITIONS : (xt  e {X,Y,Z})  a (W  = LA)  a (~IL)  a (~IT)  a (~IC)  a IV 

xt  is  a temporary,  and  appending  its  tuples 
to  the  accumulator  would  result  in  duplicate  keys. 


OBSERVED 

LEVEL 

MODIFIED 

LEVEL 

PARAMETERS  : 

xt ( temporary) 

w 

W_CODE 

W 

CONSTANTS: 

' DNAME ' , ' DTYPE ' 
'WIDTH' , 'ROLE' , ' S ' , IV 

Unclass 

VARIABLES:  K CUR  LEVEL 

K LACC 
K Lxt 
K IACC 
K Fxt 
K FACC 

K Vxt 
K“VACC 

w 

w 

w 

LA=W 

LA=W 

LA=W 

LX=W 

LA=W 

HIGHEST  LEVEL  OBSERVED: 

W 

LOWEST  LEVEL  MODIFIED: 

w 

See  Case  3A  for  Subject  1 
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PRIMITIVE : APPEND 


CASE 


4B 


SUBJECT:  1 


CONDITIONS:  (xt  i {X,Y,Z>)  a (W  = LA)  a (~IL)  a (~IC)  a IV 

xt  is  a user  working  area  value , but  appending 
it  to  the  accumulator  would  produce  dulicate  keys. 


OBSERVED 

LEVEL 

MODIFIED 

LEVEL 

PARAMETERS: 

w 

xt (value 

W_CODE 

W 

CONSTANTS : , DNAME  • f • DTYPE  ' 

Unclass 

'WIDTH' , ' ROLE' , 'S' ,IV 

VARIABLES:  K CUR  LEVEL 

w 

K LACC 

w 

K IACC 

LA=W 

K Fxt 

W 

K FACC 

LA=W 

K Vxt 

W 

K_VACC 

LA=W 

HIGHEST  LEVEL  OBSERVED: 

W 

LOWEST  LEVEL  MODIFIED: 

W 

PRIMITIVE : APPEND  CASE:  5A  SUBJECT:  1 

CONDITIONS : (xt  e {X,Y,Z>)  a (W  = LA)  a (~IL)  a (~IT)  a (~IC)  a ( ~IV) 

xt  is  a temporary,  and  there  are  no  exceptions. 


OBSERVED 

LEVEL 

MODIFIED 

LEVEL 

PARAMETERS: 

w 

xt 

W_CODE 

W 

CONSTANTS  : 

Unclass 

' DNAME ' , ' DTYPE ' 

'WIDTH' , 'ROLE' , ' S ' , DN 

VARIABLES:  K CUR  LEVEL 

w 

K_LACC 

w 

K IACC 

LA=W 

K Lxt 

W 

K Fxt 

LA=W 

K FACC 

LA=W 

K Vxt 

LX=W 

K VACC 

LA=W 

HIGHEST  LEVEL  OBSERVED: 

W 

LOWEST  LEVEL  MODIFIED: 

W 
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PRIMITIVE : APPEND 


CASE : 5B 


SUBJECT:  1 


CONDITIONS : (xt  i x,Y,Z  ) a (W  = LA)  a (~IL)  a (~IT)  a (~IC)  a (~IV) 

xt  is  a user  working  area  value,  and 
there  are  no  exceptions. 


OBSERVED 

LEVEL 

MODIFIED 

LEVEL 

PARAMETERS: 

w 

xt (value) 

W_CODE 

w 

CONSTANTS  : , DN  AME  t f QTYPE  ' , 

Unclass 

' WI DTH ' , ' ROLE ' , ' S ' , DN 

VARIABLES:  K CUR  LEVEL 

w 

K LACC 

w 

K IACC 

LA=W 

K Fxt 

W 

K FACC 

LA=W 

K Vxt 

W 

K_VACC 

LA=W 

HIGHEST  LEVEL  OBSERVED: 

w 

LOWEST  LEVEL  MODIFIED: 

w 

PRIMITIVE:  APPEND  CASE : 6 SUBJECT:  1 

CONDITIONS  : W LA 


OBSERVED 

LEVEL 

MODIFIED 

LEVEL 

PARAMETERS  : 

xt 

w 

w9 

CONSTANTS : 

Unclass 

VARIABLES: 

K CUR  LEVEL 
K_LACC 

1 

1 

1 

1 

l 

j £ £ 

I 

HIGHEST  LEVEL  OBSERVED: 

w 

LOWEST  LEVEL  MODIFIED: 

W 

9 

The  "null"  return  code  is  at  level  W. 
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PRIMITIVE: 


APPEND 


CASE : 1A 


SUBJECT:  2 


CONDITIONS:  (xt  € {X,Y,Z})  a (~IL)  a ( -IT)  a (~IC)  a (~IV) 

xt  is  a temporary. 


OBSERVED 

LEVEL 

MODIFIED 

LEVEL 

PARAMETERS: 

w 

xt (temporary) 

K_VACC 

LA 

CONSTANTS : 

Unclass 

' DNAME 1 , ' DTYPE ' 

' WI DTH ’ , ’ ROLE ' , ' S ' , DN 

VARIABLES:  K CUR  LEVEL 

w 

K LACC 

w 

K Lxt 

w 

K IACC 

LA 

K Fxt 

LX 

K FACC 

LA 

K Vxt 

LA 

K VACC 

LA 

HIGHEST  LEVEL  OBSERVED: 

LA 

LOWEST  LEVEL  MODIFIED: 

LA 

LEMMA:  LA  V W LEMMA:  LA  LX 

PROOF:  Minimum  K- level  Invariant  PROOF:  ~IL 

[c.f.  § 4.1] 


PRIMITIVE:  APPEND  CASE : IB  SUBJECT:  2 

CONDITIONS : (xt  ^ x,Y,Z  ) a (~IL)  a (~IT)  a (~IC)  a (~IV) 

xt  is  a user  working  area  value. 


OBSERVED 

LEVEL 

MODIFIED 

LEVEL 

PARAMETERS: 

w 

xt (value) 

K_VACC 

LA 

CONSTANTS  : 

’ DNAME ' , ' DTYPE ' , 

Unclass 

' WIDTH ' , ' ROLE ' , ' S ' , DN 

VARIABLES:  k CUR  LEVEL 

w 

K_ LACC 

w 

K IACC 

LA 

W Fxt 

W 

K FACC 

LA 

W Vxt 

W 

K_VACC 

LA 

HIGHEST  LEVEL  OBSERVED: 

LA 

LOWEST  LEVEL  MODIFIED: 

LA 

LEMMA:  LA>W 

PROOF:  Minimum  K-level  Invariant 
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-function  CONCAT(x) 
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Subject  2 
(at  level  LA) 
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PRIMITIVE : CONCAT  CASE : 1 SUBJECT:  1 

CONDITIONS : (W  LA)  a IL 

Level  of  temporary  is  not  dominated 
by  the  level  of  the  accumulator. 


OBSERVED 

LEVEL 

MODIFIED 

LEVEL 

PARAMETERS : 

w 

x ( temporary) 

W_CODE 

W 

CONSTANTS : 

Unclass 

IL 

VARIABLES: 

K CUR  LEVEL 

W 

K LACC 

W 

K_Lx 

W 

HIGHEST  LEVEL  OBSERVED: 

W 

LOWEST  LEVEL  MODIFIED: 

W 

LEMMA : LA=W 

PROOF:  W > LA 

LA  y>  W by  Minimum  K-level  Invariant  [c.f.  § 4.1] 


PRIMITIVE : CONCAT  CASE : 2 SUBJECT:  1 

CONDITIONS:  (W  = LA)  a (~IL)  a IV 

Accumulator  and  temporary  do  not 
bot  contain  strings. 


OBSERVED 

LEVEL 

MODIFIED 

LEVEL 

PARAMETERS  : 

w 

X 

W_CODE 

w 

CONSTANTS  : 

Unclass 

IV 

VARIABLES : 

K CUR  LEVEL 

w 

K LACC 

w 

K Lx 

w 

K IACC 

LA=W 

K_Ix 

LX 

HIGHEST  LEVEL  OBSERVED: 

W 

LOWEST  LEVEL  MODIFIED: 

w 

LEMMA:  LX  = W 

PROOF:  LA  V LX  By  ~IL  =>  W V LX 

LX  > W By  Minimum  K-level  Invariant 
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PRIMITIVE : 


CONCAT 


CASE 


3 


SUBJECT:  1 


CONDITIONS:  (W  = LA)  a (~IL)  a (~IV)  a ND 

There  are  no  new  fields  in  the 
string  to  be  concatenated. 


OBSERVED 

LEVEL 

MODIFIED 

LEVEL 

PARAMETERS: 

w 

X 

W_CODE 

w 

CONSTANTS : 

Unclass 

' DNAME ' ,ND 

VARIABLES:  K CUR  LEVEL 

W 

K LACC 

w 

K LX 

w 

K IACC 

LA=W 

K lx 

LX 

K FACC 

LA=W 

K_Fx 

LX 

HIGHEST  LEVEL  OBSERVED: 

w 

LOWEST  LEVEL  MODIFIED; 

w 

LEMMA:  LX  = W 

PROOF:  W = LA  and  LA  y*  LX  By  ~IL  =>  W X LX 

LX  V*  W By  Minimum  K-level  Invariant  [c.f.  § 4.1] 


PRIMITIVE:  CONCAT  CASE : 4 SUBJECT:  1 

CONDITIONS:  (W  = LA)  a (~IL)  a (~IV)  a (~ND) 

No  exceptions. 


OBSERVED 

LEVEL 

MODIFIED 

LEVEL 

PARAMETERS  : 

w 

X 

W_CODE 

w 

CONSTANTS  : 

Unclass 

' DNAME  ' , DN 

VARIABLES:  k CUR  LEVEL 

w 

K LACC 

w 

K Lx 

w 

K IACC 

LA=W 

K lx 

LX 

K FACC 

LA=W 

K_Fx 

LX 

HIGHEST  LEVEL  OBSERVED: 

W 

LOWEST  LEVEL  MODIFIED: 

w 

LX  = W By  LEMMA  in  Case  3. 
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PRIMITIVE : CONCAT  CASE:  5 SUBJECT:  1 

CONDITIONS  : (w  y LA) 

User's  current  level  does  not  dominate  accumulator. 


OBSERVED 

LEVEL 

MODIFIED 

LEVEL 

PARAMETERS : 

w 

X 

W 

CONSTANTS : 

Unclass 

VARIABLES: 

K CUR  LEVEL 

W 

K_LACC 

W 

HIGHEST  LEVEL  OBSERVED: 

W 

LOWEST  LEVEL  MODIFIED: 

w 

PRIMITIVE:  CONCAT  CASE:  1 SUBJECT:  2 

CONDITIONS : (~IL)  a (~IV)  a (~ND) 

No  exceptions. 


OBSERVED 

LEVEL 

MODIFIED 

LEVEL 

PARAMETERS: 

w 

X 

K FACC 

LA 

K VACC 

LA 

CONSTANTS  : 

Unclass 

' DNAME  ' , DN 

VARIABLES:  k CTTR  T.F.VET, 

W 

k"lacc 

w 

K LX 

w 

K I ACC 

LA 

K lx 

LX 

K FACC 

LA 

K_Fx 

LX 

HIGHEST  LEVEL  OBSERVED: 

LA 

LOWEST  LEVEL  MODIFIED: 

LA 

LEMMA:  LX  V W LEMMA:  LA  V7  LX 

PROOF:  Minimum  K-level  Invariant  PROOF:  ~IL 
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- function  DKD ( lv) 
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DKD 


Subject  1 
(at  level  W) 
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PRIMITIVE 


DKD 


CASE : 1 


SUBJECT 


1 


CONDITIONS:  IL 

User's  current  level  does 
dominate  the  directory  level. 


OBSERVED 

LEVEL 

MODIFIED 

LEVEL 

PARAMETERS : 

w 

lv 

W_CODE 

W 

CONSTANTS : 

Unclass 

IL 

VARIABLES: 

K_C  U R_LE  VE  L 

w 

HIGHEST  LEVEL  OBSERVED: 

w 

LOWEST  LEVEL  MODIFIED: 

W 

PRIMITIVE:  DKD  CASE:  2 SUBJECT:  1 

CONDITIONS:  (~IL)  a NF 

No  directory  exists  at  level  lv. 


OBSERVED 

LEVEL 

MODIFIED 

LEVEL 

PARAMETERS: 

lv 

w 

W_CODE 

W 

CONSTANTS  : 

Unclass 

0,  NF 

VARIABLES: 

D_D  ( lv) 

lv 

HIGHEST  LEVEL  OBSERVED: 

W 

LOWEST  LEVEL  MODIFIED: 

W 

LEMMA:  W Y lv 

PROOF : ~IL  70 


PRIMITIVE:  DKD  CASE : 3 SUBJECT:  1 

CONDITIONS:  (~IL)  a (~NF) 

No  exceptions. 


OBSERVED 

LEVEL 

MODIFIED 

LEVEL 

PARAMETERS: 

w 

lv 

W CODE 

w 

K_LACC 

w 

CONSTANTS:  jzf  , 1 , 2 , 3 , 4 , ' OWNER'  , 

Unclass 

' NAME  ' , ' TYPE  ' , ' LEVEL  ' , USE  WIDTH 

MAX  NAME, LEV  WIDTH , ' R ' , ' V ' , DN 

VARIABLES: 

D D ( lv) 

lv 

K_CUR_ID 

W 

HIGHEST  LEVEL  OBSERVED: 

w 

LOWEST  LEVEL  MODIFIED: 

w 

LEMMA:  W lv 

PROOF:  ~IL 


PRIMITIVE : DKD  CASE : 1 SUBJECT:  2 

CONDITIONS : (~IL)  a (~NF) 

No  exceptions.  Copy  directory  into  accumulator. 


OBSERVED 

LEVEL 

MODIFIED 

LEVEL 

PARAMETERS  : 

w 

lv 

K FACC 

LA 

K I ACC 

LA 

K VACC 

LA 

CONSTANTS : 

Unclass 

(Same  as  case  3) 

VARIABLES: 

D D ( lv) 

lv 

K CUR  ID 

w 

HIGHEST  LEVEL  OBSERVED: 

W 

LOWEST  LEVEL  MODIFIED: 

w 

LEMMA:  W Y lv  LEMMA:  LA  = W 

PROOF:  ~IL  PROOF:  EffectCl]  of 

speci f i cat ion 
71 


Copy  the  specified  exact  size  component  to  the  kernel  accumulator. 
The  object  must  be  open,  in  order  to  justify  this  data  movement. 
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DKE 


Subject  1 
(at  level  W) 


Subject  2 

(at  level  Wf  LEV) 
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PRIMITIVE 


DKE 


CASE:  1 


SUBJECT:  l 


CONDITIONS  : W y LEV 

Level  of  object  strictly  dominates 


OBSERVED 

LEVEL 

MODIFIED 

LEVEL 

PARAMETERS: 

w 

id 

K_LACC 

W 

CONSTANTS : 

Unclass 

VARIABLES : 

K_C  U R_LE  VE  L 

w 

HIGHEST  LEVEL  OBSERVED: 

w 

LOWEST  LEVEL  MODIFIED: 

W 

PRIMITIVE : DKE  CASE:  2 SUBJECT:  1 

CONDITIONS:  (W  Y LEV)  a NO 

Object  has  not  been  opened. 


OBSERVED 

LEVEL 

MODIFIED 

LEVEL 

PARAMETERS: 

w 

id 

K LACC 

W 

W_CODE 

W 

CONSTANTS : 

Unclass 

NO, FALSE 

VARI  ABIES: 

K CUR  LEVEL 

w 

K_OPEN  C LEV] 

w 

HIGHEST  LEVEL  OBSERVED: 

w 

LOWEST  LEVEL  MODIFIED: 

W 
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PRIMITIVE : DKE  CASE:  3 SUBJECT:  1 

CONDITIONS:  (W  ^ LEV)  a (~NO) 

No  exceptions. 


OBSERVED 

LEVEL 

MODIFIED 

LEVEL 

PARAMETERS : 

w 

id 

K LACC 

W 

W_CODE 

W 

CONSTANTS : 

Unclass 

DN  , FALSE 

VARIABLES: 

K CUR  LEVEL 

w 

K OPEN [LEV] 

w 

HIGHEST  LEVEL  OBSERVED: 

w 

LOWEST  LEVEL  MODIFIED: 

w 

PRIMITIVE:  DKE  CASE : 1 SUBJECT:  2 

CONDITIONS:  NO  a (W  >»  LEV) 

Dominated  object  is  not  open. 


OBSERVED 

LEVEL 

MODIFIED 

LEVEL 

PARAMETERS  : 

w 

id 

w 

CONSTANTS  : 

Unclass 

FALSE 

VARIABLES: 

K OPENLLEV] 

W 

K CUR_LEVEL 

w 

HIGHEST  LEVEL  OBSERVED: 

w 

LOWEST  LEVEL  MODIFIED: 

w 
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PRIMITIVE : DKE 


CASE;  2 SUBJECT:  2 


CONDITIONS: 


NO  a (W  y LEV) 

Strictly  dominating  object  is  not  open. 


OBSERVED 

LEVEL 

MODIFIED 

LEVEL 

PARAMETERS: 

w 

id 

K FACC 

LEV 

K IACC 

LEV 

CONSTANTS : 

Unclass 

K_VACC 

LEV 

0 , FALSE 

VARIABLES: 

K CUR  LEVEL 

w 

K_OPEN [LEV] 

LEV 

HIGHEST  LEVEL  OBSERVED: 

LEV 

LOWEST  LEVEL  MODIFIED: 

LEV 

LEMMA:  LEV  >*  W 

PROOF:  Minimum  K-level  Invariant 


PRIMITIVE:  DKE  CASE : 3 SUBJECT:  2 

CONDITIONS : -NO 

Object  is  open,  no  exception. 


OBSERVED 

LEVEL 

MODIFIED 

LEVEL 

PARAMETERS: 

W 

id 

K FACC 
K IACC 
K_VACC 

wr  LEV 
WT  LEV 
wr  LEV 

CONSTANTS  : 

Unclass 

FALSE, 'EXACT' , ' I ' , 

SIZ  WIDTH, 'E ' 

VARIABLES: 

K CUR  LEVEL 

w 

K_OPEN [ LEV ] 

Wf  LEV 

HIGHEST  LEVEL  OBSERVED: 

wr  LEV 

LOWEST  LEVEL  MODIFIED: 

WT  LEV 
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KDM 


Subject  1 
(at  level  W) 


N 


( end) 


(start) 


( END  ) — — 


N / IL\ Y_ 


N ^NO  ^ Y 


W CODE  «-  IL 


^ END  ^ 


W CODE  «-  NO 


N / IC  \ Y 


( EHD  ) 


N / IV\  Y 
? 


W_CODE 

DN 

<£> 


W CODE  «<-  IC 


( END ) 


W CODE  ■*-  IV 


( END  ) 


W CODE  <-  SZ 


Q start) 


( END) 


Subject  2 
(at  level  LEV) 


( EMD  ) 
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PRIMITIVE:  KDM  CASE:  1 SUBJECT:  1 

CONDITIONS:  j L 

Accumulator  is  not  at  proper  level  (W) . 


OBSERVED 

LEVEL 

MODIFIED 

LEVEL 

PARAMETERS: 

w 

id 

W_CODE 

w 

CONSTANTS : 

Unclass 

IL 

VARIABLES: 

K CUR  LEVEL 

w 

KJLACC 

w 

HIGHEST  LEVEL  OBSERVED: 

w 

LOWEST  LEVEL  MODIFIED: 

W 

PRIMITIVE : KDM  CASE : 2 SUBJECT:  1 

CONDITIONS:  (~IL)  a NO  a (W  = LEV) 

Dominated  object  is  not  open. 


OBSERVED 

LEVEL 

MODIFIED 

LEVEL 

PARAMETERS: 

w 

id 

W_CODE 

w 

CONSTANTS: 

Unclass 

NO 

VARIABLES: 

K CUR  LEVEL 

W 

K LACC 

W 

K_OPEN [LEV] 

w 

HIGHEST  LEVEL  OBSERVED: 

w 

LOWEST  LEVEL  MODIFIED: 

w 
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PRIMITIVE 


KDM 


CASE 


3 


SUBJECT;  i 


CONDITIONS : (~IL)  a (W  = LEV)  a (~NO)  a IC 

The  accumulator  does  not  contain  1 
the  object's  permission  matrix. 


OBSERVED 

LEVEL 

MODIFIED 

LEVEL 

PARAMETERS; 

w 

id 

W_CODE 

W 

CONSTANTS : 

Unclass 

IC 

VARIABLES: 

K CUR  LEVEL 

w 

K LACC 

w 

K OPEN [LEV] 

w 

K_IACC 

w 

HIGHEST  LEVEL  OBSERVED: 

w 

LOWEST  LEVEL  MODIFIED: 

W 

PRIMITIVE;  KDM  CASE;  4 SUBJECT;  1 

CONDITIONS;  ( ~IX»)  a (W  = LEV-)  a (~NO)  a (~IC)  a IV 

Format  of  accumulator  contents  is  inappropriate. 


OBSERVED 

LEVEL 

MODIFIED 

LEVEL 

PARAMETERS  : 

id 

w 

W_CODE 

W 

CONSTANTS;  0,1, 'I'  , 'L'  , 'M'  ,IV, 

Unclass 

' USER' , ' VISIBLE ' , USE_WIDTH 

VARIABLES: 

K CUR  LEVEL 

w 

K LACC 

w 

K OPEN [LEV] 

w 

K IACC 

w 

K_FACC 

w 

HIGHEST  LEVEL  OBSERVED: 

w 

LOWEST  LEVEL  MODIFIED: 

W 
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PRIMITIVE : KDM  CASE  5 SUBJECT:  1 

CONDITIONS:  (~IL)  a (W  = LEV)  a (~NO)  a (~IC)  a (~IV)  a SZ 

This  permission  matrix  would  cause  the 
maximum  size  of  this  object  to  be  exceeded. 


OBSERVED 

LEVEL 

MODIFIED 

LEVEL 

PARAMETERS: 

id 

w 

W_CODE 

w 

CONSTANTS : Q , 1 I L S Z 

' USER' , 'VISIBLE ' ,USE_WIDTH 

Unclass 

VARIABLES: 

K CUR  LEVEL 
K LACC 
K OPEN [ LEV J 
K IACC 
K FACC 
D F (id) 

D V ( id) 

D_Z (id) 

w 

w 

LA 

LA 

LA 

LEV=W 

LEV=W 

LEV=W 

HIGHEST  LEVEL  OBSERVED: 

w 

LOWEST  LEVEL  MODIFIED: 

w 

LEMMA:  LA  = W 

PROOF:  (~IL)  a (W  = LEV) 
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PRIMITIVE ; RDM  CASE  6 SUBJECT;  i 

CONDITIONS : (~IL)  a (~NO)  a (~IC)  a (~IV)  a (~SZ)  a (W  = LEV) 

No  exceptions. 


OBSERVED 

LEVEL 

MODIFIED 

LEVEL 

PARAMETERS: 

id 

w 

W_CODE 

w 

CONSTANTS : „ , . 

0 ,1, ’ I' , 'L' , 'M' , DN 

'USER' , 'VISIBLE' ,USE_WIDTH 

Unclass 

VARIABLES: 

K CUR  LEVEL 
K LACC 
K OPEN [LEV] 
K IACC 
K FACC 
D F (id) 

D V(id) 

D Z (id) 

K CUR  TIME 
D_H (id) 

W 

W 

w 

w 

w 

LEV=W 
LE  V=W 
LEV=W 
W 

LEV=W 

HIGHEST  LEVEL  OBSERVED: 

W 

LOWEST  LEVEL  MODIFIED; 

w 
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PRIMITIVE 


KDM 


CASE 


1 


SUBJECT:  2 


CONDITIONS : 


( ~IL)  A (~NO)  A (~IC)  A (~IV)  A (~SZ) 
No  exception. 


OBSERVED 

LEVEL 

MODIFIED 

LEVEL 

PARAMETERS: 

id 

w 

D M ( id) 
D E ( id) 
D H ( id) 

LEV 

LEV 

LEV 

CONSTANTS  : 0 , 1 , ' I ' , ' L ' , ' M ' 

' USER'  , 'VISIBLE'  , USE  WIDTH 

Unclass 

VARIABLES: 

K CUR  LEVEL 
K LACC 
K OPEN  [LEV] 
K IACC 
K FACC 
D F ( id) 

D V ( id) 

D Z ( id) 

K CUR  TIME 
D_H (id) 

w 

w 

LEV 

LEV 

LEV 

LEV 

LEV 

LEV 

W 

LEV 

HIGHEST  LEVEL  OBSERVED: 

LEV 

LOWEST  LEVEL  MODIFIED: 

LEV 

LEMMA:  LEV  >•  W 

PROOF:  ~NO  =>  K_OPEN (id,EXPM)  = TRUE 

The  derivation  of  the  Access_set_0  and  Auth_0 
V-functions  in  0_APPEND  complete  the  proof. 
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Copy  an  object's  format  and  values  from 
the  accumulator  to  the  data  base 
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KDV 


85 


PRIMITIVE 


KDV 


CASE 


1 


SUBJECT:  1 


CONDITIONS:  il 

Accumulator  level  is  not  equal  to  'object  level. 


OBSERVED 

LEVEL 

MODIFIED 

LEVEL 

PARAMETERS: 

w 

id 

W_CODE 

W 

CONSTANTS : 

Unclass 

IL 

VARIABLES: 

K_LACC 

w 

HIGHEST  LEVEL  OBSERVED: 

w 

LOWEST  LEVEL  MODIFIED: 

W 

PRIMITIVE : KDV  CASE : 2 SUBJECT:  1 

CONDITIONS:  (~IL)  a (W  ^ LEV) 

Object  being  replaced  is  at 
a strictly  dominating  level. 


OBSERVED 

LEVEL 

MODIFIED 

LEVEL 

PARAMETERS: 

w 

id 

W 

CONSTANTS: 

Unclass 

VARIABLES: 

K CUR  LEVEL 

w 

K_LACC 

w 

HIGHEST  LEVEL  OBSERVED: 

w 

LOWEST  LEVEL  MODIFIED: 

W 

86 


PRIMITIVE ; KDV  CASE:  3 SUBJECT:  1 

CONDITIONS : (~IL)  a (W  = LEV)  a NO 

Object  is  not  open  with  STOR  access. 


OBSERVED 

LEVEL 

MODIFIED 

LEVEL 

PARAMETERS: 

w 

id 

W_CODE 

w 

CONSTANTS : 

Unclass 

STOR, NO 

VARIABLES : 

K LACC 

W 

K CUR  LEVEL 

W 

K_OPEN[ LEV] 

w 

HIGHEST  LEVEL  OBSERVED: 

w 

LOWEST  LEVEL  MODIFIED: 

w 

PRIMITIVE:  KDV  CASE : 4 SUBJECT:  1 

CONDITIONS:  (~IL)  a (W  = LEV)  a (~NO)  a IC 

Accumulator  does  not  contain 
the  appropriate  value  set. 


OBSERVED 

LEVEL 

MODIFIED 

LEVEL 

PARAMETERS: 

w 

id 

W_CODE 

W 

CONSTANTS: 

Unclass 

'V'  , STOR, IC 

VARIABLES: 

K LACC 

W 

K CUR  LEVEL 

W 

K OPEN [LEV] 

LEV=W 

K_IACC 

LA 

HIGHEST  LEVEL  OBSERVED: 

w 

LOWEST  LEVEL  MODIFIED: 

w 

LEMMA:  LA  = W 

PROOF:  ~IL  =>LA  = LEV 

But  LEV  = W 87 


PRIMITIVE:  KDV  CASE  5 SUBJECT:  1 

CONDITIONS : (~IL)  A (W  = LEV)  A (~NO)  A (~IC)  A SZ 

User  has  insufficient  space  to  store 
the  value  set  in  the  data  base. 


OBSERVED 

LEVEL 

MODIFIED 

LEVEL 

PARAMETERS: 

id 

w 

W_CODE 

w 

CONSTANTS : 

'V'  , STOR, S Z 

Unclass 

VARIABLES : 

K LACC 
K OPEN [LEV] 
K IACC 
D M(id) 

K VACC 
D_Z (id) 

w 

w 

LA 

LEV=W 

LA 

LEV=W 

HIGHEST  LEVEL  OBSERVED: 

w 

LOWEST  LEVEL  MODIFIED: 

w 

LEMMA:  LA  = W 

PROOF:  ~IL  =>  LA  = LEV 

But  LEV  = W 
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PRIMITIVE;  KDV  CASE  6 SUBJECT;  1 

CONDITIONS:  (~IL)  a (W  = LEV)  a (~NO)  a (~IC)  a (~SZ) 

No  exceptions. 


OBSERVED 

LEVEL 

MODIFIED 

LEVEL 

PARAMETERS : 

id 

w 

W_CODE 

W 

CONSTANTS : 

' V ' , STOR, DN 

Unclass 

VARIABLES : 

K LACC 
K OPEN [LEV] 
K IACC 
D M ( id) 

K FACC 
K VACC 
D Z ( id) 

D H (id) 

K CUR  ID 
K CUR  LEVEL 

K_CUR_TIME 

W 

W 

LA 

LEV=W 

LA 

LA 

LEV=W 

LEV=W 

W 

w 

w 

HIGHEST  LEVEL  OBSERVED: 

w 

LOWEST  LEVEL  MODIFIED: 

W 

LEMMA;  LA  = W 
PROOF;  ~IL  =>  LA  = LEV 
But  LEV  = W 
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PRIMITIVE:  KDV  CASE  1 SUBJECT:  2 

CONDITIONS:  (~IL)  a (~NO)  a (~IC)  a (~SZ) 

No  exceptions.  Replace  value  set  in  data  base. 


OBSERVED 

LEVEL 

MODIFIED 

LEVEL 

PARAMETERS: 

id 

w 

D E ( id) 
D V ( id) 
D_F ( id) 

LEV 

LEV 

LEV 

CONSTANTS  : 

'V' , STOR 

Unclass 

VARIABLES: 

K LACC 
K OPEN [LEV] 
K IACC 
K FACC 
K_VACC 
D M(id) 

D Z(id) 

D H ( id) 

K CUR  ID 
K CUR  TIME 
K_C  U R_LE  VE  L 

w 

LEV 

LA 

LA 

LA 

LEV 

LEV 

LEV 

W 

W 

W 

HIGHEST  LEVEL  OBSERVED: 

LEV 

LOWEST  LEVEL  MODIFIED: 

LEV 

LEMMA:  LEV  W LEMMA:  LA  = LEV 

PROOF:  K_OPEN ( i d , E XPM)  = TRUE  by  -NO  PROOF:  ~IL 

The  derivations  of  the 
Access_set_0  and  Auth_0 
V- functions  in  0_APPEND 
complete  the  proof. 


90 


function  KDZ(n,t) 
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KDZ 
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PRIMITIVE : KDZ  CASE:  1 SUBJECT:  1 

CONDITIONS:  IL 

Accumulator  level  is  not  equal  to 
the  user's  current  level. 


OBSERVED 

LEVEL 

MODIFIED 

LEVEL 

PARAMETERS : 

n , t 

w 

W_CODE 

w 

CONSTANTS : 

IL 

Unclass 

VARIABLES: 

K LACC 

w 

K_CUR  LEVEL 

w 

HIGHEST  LEVEL 

OBSERVED: 

w 

LOWEST  LEVEL  MODIFIED: 

w 

PRIMITIVE : KDZ  CASE : 2 SUBJECT:  1 

CONDITIONS:  (~IL)  a NE 

Non-existent  object. 


OBSERVED 

LEVEL 

MODIFIED 

LEVEL 

PARAMETERS: 

w 

n , t 

W_CODE 

w 

CONSTANTS  : 

Unclass 

0 ,NE 

VARIABLES: 

K LACC 

LA 

K CUR  LEVEL 

W 

D Z ( id) 

W 

K_CUR_ID 

W 

HIGHEST  LEVEL  OBSERVED: 

w 

LOWEST  LEVEL  MODIFIED: 

w 

LEMMA:  LA  = W 

PROOF:  ~IL 

93 


PRIMITIVE 


KDZ 


CASE 


3 


SUBJECT:  1 


CONDITIONS : (~IL)  a (~NE)  a IC 

The  accumulator  does  not  contain  . 
the  required  exact  size  component. 


OBSERVED 

LEVEL 

MODIFIED 

LEVEL 

PARAMETERS: 

w 

n , t 

W_CODE 

w 

CONSTANTS : 

0 , ' Z' ,IC 

Unclass 

VARIABLES : 

K LACC 

LA 

K CUR  LEVEL 

W 

D Z ( id) 

w 

K IACC 

LA 

K_CUR_I  D 

W 

HIGHEST  LEVEL  OBSERVED: 

W 

LOWEST  LEVEL  MODIFIED: 

w 

LEMMA:  LA  = W 

PROOF:  ~IL 


PRIMITIVE : KDZ  CASE : 4 SUBJECT:  1 

CONDITIONS : (~IL)  a (~NE)  a (~IC)  a SZ 

The  current  exact  size  exceeds 
the  proposed  maximum. 


OBSERVED 

LEVEL 

MODIFIED 

LEVEL 

PARAMETERS: 

w 

n , t 

W_CODE 

w 

CONSTANTS: 

Unclass 

0, ' Z' ,sz 

VARIABLES:  K LACC 

w 

. . . 

K CUR  ID,K  CUR  LEVEL 

w 

D Z ( id) 

w 

K IACC , K VACC 

LA 

D E ( id) 

W 

K_CUR_QTA 

w 

HIGHEST  LEVEL  OBSERVED: 

w 

LOWEST  LEVEL  MODIFIED: 

w 

LEMMA:  LA  = W 

PROOF:  ~IL 
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PRIMITIVE : KDZ  CASE:  5 SUBJECT:  1 

CONDITIONS : (~IL)  a (~NE)  a (~IC)  a (~SZ) 

No  exceptions. 


OBSERVED 

LEVEL 

MODIFIED 

LEVEL 

PARAMETERS: 

W 

n , t 

W_CODE 

w 

CONSTANTS : 

Unclass 

0 , ' Z ' , DN 

VARIABLES: 

K LACC 

W 

K CUR  LEVEL, K CUR  ID 

w 

D E (id) , D Z (id) 

w 

K CUR  QTA 

w 

K I ACC , K_VACC 

LA 

HIGHEST  LEVEL  OBSERVED: 

W 

LOWEST  LEVEL  MODIFIED: 

w 

LEMMA:  LA  = W 

PROOF:  ~IL 


PRIMITIVE:  KDZ  CASE : 1 SUBJECT:  2 

CONDITIONS:  (~IL)  a (~NE)  a (~IC)  a (~SZ) 

No  exceptions. 


OBSERVED 

LEVEL 

MODIFIED 

LEVEL 

PARAMETERS  : 

w 

n , t 

D Z ( id) 

W 

K_CUR_QTA 

w 

CONSTANTS: 

Unclass 

0 , ’ Z ' , DN 

VARIABLES:  K T.ACC 

w 

K CUR  LEVEL, K CUR  ID 

w 

D E ( id) , D Z ( id) 

w 

K CUR  QTA 

w 

K_I ACC , K_VACC 

LA 

HIGHEST  LEVEL  OBSERVED: 

LOWEST  LEVEL  MODIFIED: 

w 

w 

LEMMA:  LA  = W 

PROOF:  ~IL 
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KWA 


Subject  1 
(at  level  W) 


Subject  2 
(at  level  W) 
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PRIMITIVE:  KWA  CASE : 1 SUBJECT:  1 

CONDITIONS : IL 

User's  current  level  does  not  equal 
accumulator  level. 


OBSERVED 

LEVEL 

MODIFIED 

LEVEL 

PARAMETERS  : 

w 

n 

W_CODE 

w 

CONSTANTS : 

Unclass 

IL 

VARIABLES  : 

K CUR  LEVEL 

W 

K_LACC 

W 

HIGHEST  LEVEL  OBSERVED: 

W 

LOWEST  LEVEL  MODIFIED: 

w 

PRIMITIVE:  KWA  CASE : 2 SUBJECT:  i 

CONDITIONS:  (~IL)  a ND 

User  has  no  discretionary  authorization. 


OBSERVED 

LEVEL 

MODIFIED 

LEVEL 

PARAMETERS  : 

W 

n 

W_CODE 

W 

CONSTANTS:  RDS  Z , RDHS  , RDPM , 

Unclass 

RS  RV , RE  TR , 'E'  ,'H'  ,'M'  ,'R'  , 

' V'  , ' Z ' ,ND 

VARIABLES: 

K CUR  LEVEL 

W 

K LACC 

W 

K CUR  ID 

w 

K OPEN L LA] 

LA 

HIGHEST  LEVEL  OBSERVED: 

W 

LOWEST  LEVEL  MODIFIED: 

W 

LEMMA:  LA  = W 

PROOF:  Minimum  K-level  Invariant  and  ~IL 
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PRIMITIVE : KWA  CASE : 3 SUBJECT:  1 

CONDITIONS:  (~IL)  a (~ND) 

No  exceptions. 


OBSERVED 

LEVEL 

MODIFIED 

LEVEL 

PARAMETERS : 

w 

n 

W_CODE 

w 

CONSTANTS  : RDSZ  , RDHS  , RDPMf  RSRV, 

Unclass 

RETR, 'E' , 'H' , 'M' , 'R' , 'V' , ' Z' , 

DN 

VARIABLES : 

K CUR  LEVEL 

w 

K LACC 

w 

K CUR  ID 

w 

K OPEN [ LA]  . 

LA 

K FACC 

LA 

K_VACC 

LA 

HIGHEST  LEVEL  OBSERVED: 

w 

LOWEST  LEVEL  MODIFIED: 

w 

LEMMA:  LA  = W 

PROOF:  Minimum  K-level  Invariant  and  ~IL 


PRIMITIVE:  KWA 


CASE : 1 


SUBJECT:  2 


CONDITIONS : 


OBSERVED 

LEVEL 

MODIFIED 

LEVEL 

PARAMETERS: 

w 

n 

W Fn 

w 

W_Vn 

w 

CONSTANTS  : RDS  Z , RDHS  , RDPM,  RSRV, 

Unclass 

RETR, 'E' , 'H' , 'M' , 'R' , 'V' , ' Z ’ 

VARIABLES:  K CUR  LEVEL 

w 

k“lacc 

w 

K CUR  ID 

w 

K OPEN 

LA 

K VACC 

LA 

K_FACC 

LA 

HIGHEST  LEVEL  OBSERVED: 

w 

LOWEST  LEVEL  MODIFIED: 

w 

LEMMA:  LA  = W 

PROOF:  Minumum  K-level  Invariant  and  ~IL 
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A.  1.4  SIGNON,  SIGNOFF  and  MOVE 


The  security  kernel  functions,  SIGNON,  SIGNOFF  and  MOVE 
are  discussed  in  Section  V of  this  report.  All  three  functions 
are  in  violation  of  the  *-property  for  a successful  execution, 
although  the  simple  security  principle  is  always  upheld. 

In  this  section,  validations  are  included  for  these 
functions,  to  illustrate  precisely  how  the  *-property  is 
violated.  It  will  be  seen  that  nothing  other  than  a success- 
ful execution  can  induce  a *-property  violation  and  that  all 
three  functions  may  only  be  invoked  by  trusted  subjects 
operating  at  the  highest  protection  level. 

The  concept  of  the  trusted  subject,  known  as  the  User 
Controller  Process  (UCP) , was  introduced  in  the  functional 
design  report  , Section  4.1.  In  initiating  a sign-on  to  the 
DMS , the  UCP  must  be  restricted,  by  the  hardware  if  necessary, 
to  respond  only  to  a human  user's  request  to  link  to  the  DMS 
and  not  to  the  request  of  a process  acting  on  behalf  of  a 
user . 

The  Data  Base  Administrator  (DBA)  is  also  considered  to 
be  a trusted  subject  and  only  a process  acting  at  system  high 
(SYS_HI) , on  behalf  of  the  DBA,  is  permitted  to  declassify 
database  objects.  This  is  the  purpose  of  the  primitive  MOVE. 
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SIGN ON 


START 


N XKL\  Y 


Subject  2 

(on  behalf  of  UCP 
at  level  SYS  HI) 
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PRIMITIVE : SIGNON  CASE : 1 SUBJECT:  1 

CONDITIONS : KL 

An  attempt  to  invoke  SIGNON  by  other 
than  the  trusted  UCP  at  level  SYS  HI. 


OBSERVED 

LEVEL 

MODIFIED 

LEVEL 

PARAMETERS : 

u , lv, s , r 

w 

W_CODE 

w 

CONSTANTS : 

UCP , SYS_HI , KL 

Unclass 

VARIABLES: 

K CUR  ID 

W 

K_CUR_LEVEL 

w 

HIGHEST  LEVEL 

OBSERVED: 

w 

LOWEST  LEVEL  MODIFIED; 

w 

PRIMITIVE : SIGNON  CASE : 2 SUBJECT:  1 

CONDITIONS  : ( ~KL)  a ND 

An  attempt  to  sign-on  by  a 
non- registered  data  base  user. 


OBSERVED 

LEVEL 

MODIFIED 

LEVEL 

PARAMETERS  : 

w 

u , lv, s , r 

W CODE 

W 

CONSTANTS: 

Unclass 

DBA, ' DBA  ULIST' , ' R' , 
UCP  , SYS  _HI , 0 ,ND 

VARIABLES: 

K CUR  ID 
K_C  U R_LE  VE  L 
usent 

w 

w 

SYS_HI 

HIGHEST  LEVEL  OBSERVED: 

SYS_HI 

LOWEST  LEVEL  MODIFIED: 

W 

LEMMA:  W = SYS_HI 

PROOF : ~KL 
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PRIMITIVE : SIGNON  CASE:  3 SUBJECT:  1 

CONDITIONS:  (~KL)  a (~ND)  a IL 

User's  maximum  level  does  not  dominate 
requested  sign-on  level. 


OBSERVED 

LEVEL 

MODIFIED 

LEVEL 

PARAMETERS : 

w 

u, lv, S , V 

W_CODE 

w 

CONSTANTS : 

Unclass 

DBA,' DBA  ULIST','R', 

UCP , SYS_HI , 0 , MAX_LEVEL , IL 

VARIABLES: 

K CUR  ID 

W 

K-CUR-LEVEL 

W 

usent 

SYS_HI 

HIGHEST  LEVEL  OBSERVED: 

SYS  HI 

LOWEST  LEVEL  MODIFIED: 

w 

LEMMA:  W = SYS_HI 

PROOF:  ~KL 


PRIMITIVE : SIGNON  CASE : 4 SUBJECT:  1 

CONDITIONS:  ( ~KL)  a (~ND)  a (~IL)  a DD 

User  is  already  signed  on  at  this  level. 


OBSERVED 

LEVEL 

MODIFIED 

LEVEL 

PARAMETERS: 

u, lv, S , V 

w 

W_CODE 

w 

CONSTANTS  : 

Unclass 

DBA, ' DBA  ULIST' , ' R' , 

UCP , S YS_HI , 0 , MAX_LEVEL , DD 

VARIABLES: 

K CUR  ID 

w 

K_CU  R_LE  VE  L 

w 

usent 

SYS  HI 

D_Q  ( lv) 

lv 

HIGHEST  LEVEL  OBSERVED: 

SYS_HI 

LOWEST  LEVEL  MODIFIED: 

w 

LEMMA:  W = SYS_HI 

PROOF:  ~KL 
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PRIMITIVE : SIGNON  CASE : 5 SUBJECT;  1 

CONDITIONS  : ( ~KL)  a (~ND)  a (~IL)  a (~DD)  a SZ 

The  user  attempting  to  sign  on 
has  requested  too  much  space. 


OBSERVED 

LEVEL 

MODIFIED 

LEVEL 

PARAMETERS: 

w 

u, lv, S , V 

W_CODE 

W 

CONSTANTS  : DBA, 'DBA  ULIST, 'R* , 

Unclass 

UCP,SYS  _HI  ,0,MAX  LEVEL, SZ 

VARIABLES  : 

K CUR  ID 

w 

K CURDLE VEL 

w 

usent 

SYS  HI 

D_Q ( 1 v ) 

lv 

HIGHEST  LEVEL  OBSERVED: 

SYS_HI 

LOWEST  LEVEL  MODIFIED: 

W 

LEMMA:  W = SYS_HI 

PROOF;  ~KL 


PRIMITIVE : SIGNON  CASE : 6 SUBJECT:  1 

CONDITIONS:  (~KL)  a (~ND)  a (~IL)  a (~DD)  a (~SZ) 

No  exception. 


OBSERVED 

LEVEL 

MODIFIED 

LEVEL 

PARAMETERS: 

u, lv, S , V 

w 

W_CODE 

w 

CONSTANTS  : 

DBA, ' DBA  ULIST ' , ' R' , 

Unclass 

UCP , SYS_HI , 0 , MAX_LE VE  L , DN 

VARIABLES : 

K CUR  ID 

w 

K CUR  LEVEL 

w 

usent 

SYS  HI 

D_Q ( lv) 

lv 

HIGHEST  LEVEL  OBSERVED: 

SYS_HI 

LOWEST  LEVEL  MODIFIED: 

w 

LEMMA:  W = SYS_HI 

PROOF:  ~KL 
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PRIMITIVE:  SIGNON  CASE  i SUBJECT:  2 

CONDITIONS : (~KL)  a (~ND)  a (~IL)  a (~DD)  a (~SZ) 

No  exceptions.  Establish  the  new  DMS  user. 


OBSERVED 

LEVEL 

MODIFIED 

LEVEL 

PARAMETERS: 

U, lv, S , V 

w 

K CUR  ID ( user) 

K CUR  LEVEL  (user) 
K CUR  QTA(user) 

K CUR  TIME (user) 
D_Q  ( lv) 
usent [SUM] 

lv 

lv 

lv 

lv 

lv 

SYS_HI 

CONSTANTS:  DBA,  'DBA  ULIST','R'  , 

SYS  HI, 0, MAX  LEVEL, SUM, DN, 

UCP, LI MIT 

Unclass 

VARIABLES: 

K CUR  ID (UCP) 
K_CUR_LEVEL (UCP) 
usent 
D_Q ( lv) 

w 

w 

SYS  HI 
lv 

HIGHEST  LEVEL  OBSERVED: 

SYS_HI 

LOWEST  LEVEL  MODIFIED: 

lv 

The  UCP  must  violate  the  *-property  in  order  to 
sign  users  on  to  the  system. 
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SIGNOFF 


Subject  1 
(at  level  W) 


Subject  2 

(for  UCP  at 
level  SYS  HI) 
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PRIMITIVE : SIGNOFF  CASE ; 1 SUBJECT:  1 

CONDITIONS:  KL 

An  attempt  to  invoke  SIGNOFF 
by  other  than  the  UCP. 


OBSERVED 

LEVEL 

MODIFIED 

LEVEL 

PARAMETERS  : 

w 

W_CODE 

w 

CONSTANTS : 

Unclass 

UCP , SYS_HI , KL 

VARIABLES: 

K CUR  LEVEL 

W 

k”cur_id 

W 

HIGHEST  LEVEL  OBSERVED: 

W 

LOWEST  LEVEL  MODIFIED: 

w 

PRIMITIVE : SIGNOFF  CASE : 2 SUBJECT:  1 

CONDITIONS : DN 

No  exceptions. 


OBSERVED 

LEVEL 

MODIFIED 

LEVEL 

PARAMETERS  : 

w 

W_CODE 

w 

CONSTANTS  : 

Unclass 

UCP , SYS_HI , DN 

VARIABLES: 

K CUR  LEVEL 

W 

K_CUR_ID 

w 

HIGHEST  LEVEL  OBSERVED: 

w 

LOWEST  LEVEL  MODIFIED: 

w 

Ill 


PRIMITIVE;  SIGNOFF  CASE  1 SUBJECT;  2 

CONDITIONS ; No  exceptions.  The  UCP  executes  SIGNOFF  as  the 
result  of  an  explicit  user  request,  or  because 
of  an  implicit  one,  such  as  turning  the  terminal 
off. 


OBSERVED 

LEVEL 

MODIFIED 

LEVEL 

PARAMETERS: 

w 

D_R(  (-^RESERVE  4) 
D O(|-open  obj-|) 
D_Q  (W) 
usent 
K CUR  ID 
K CUR  LEVEL 
K CUR  QTA 
K CUR  TIME 
K OPEN 
ACC , X , Y , Z 

w 

w 

w 

SYS  HI 
W 
W 
W 
W 
* 

* 

CONSTANTS : 

UCP,SYS_HI ,0,DN 

Unclass 

VARIABLES: 

D O(|-open  objH) 

K CUR  ID 

K CUR  LEVEL 

D_Q(Wl 

usent 

K CUR  QTA 

K_OPEN 

W 

W 

w 

SYS  HI 

W 

★ 

HIGHEST  LEVEL  OBSERVED: 

SYS_HI 

LOWEST  LEVEL  MODIFIED: 

*9 

Any  protection  level 
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-function  MOVE (id, lv) 
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(B)  Access  table  Variables  Observed Variables  Modified  and  Modified 
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PRIMITIVE 


MOVE 


CASE : 1 


SUBJECT 


1 


CONDITIONS:  ND 

User  is  not  the  DBA. 


OBSERVED 

LEVEL 

MODIFIED 

LEVEL 

PARAMETERS: 

w 

id , lv 

W_CODE 

W 

CONSTANTS : 

Unclass 

DBA,ND 

VARIABLES: 

K_CUR_ID 

W 

HIGHEST  LEVEL  OBSERVED: 

w 

LOWEST  LEVEL  MODIFIED: 

W 

PRIMITIVE : MOVE  CASE:  2 SUBJECT:  1 

CONDITIONS:  ( ~ND)  a IL 

• DBA  is  not  signed  on  at  the 

system  high  level. 


OBSERVED 

LEVEL 

MODIFIED 

LEVEL 

PARAMETERS : 

w 

id,  lv 

W_CODE 

W 

CONSTANTS: 

Unclass 

DBA , SYS_H I , I L 

VARIABLES: 

K CUR  ID 

w 

K_C  U R_LE  VE  L 

w 

HIG1EST  LEVEL  OBSERVED: 

w 

LOWEST  LEVEL  MODIFIED: 

w 
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PRIMITIVE:  MOVE  CASE:  3 SUBJECT:  1 

CONDITIONS : ( ~ND)  a (~IL)  a NE 

Object  does  not  exist. 


OBSERVED 

LEVEL 

MODIFIED 

LEVEL 

PARAMETERS: 

id , lv 

w 

W_CODE 

SYS_HI 

CONSTANTS : 

DBA , SYS  _H  1,0,  NE 

Unclass 

VARIABLES: 

K CUR  ID 
K CUR  LEVEL 
D E (id) 

SYS  HI 
SYS  HI 
lv 

HIGHEST  LEVEL  OBSERVED: 

SYS  _HI 

LOWEST  LEVEL  MODIFIED: 

SYS_HI 

PRIMITIVE : MOVE  CASE : 4 SUBJECT:  1 

CONDITIONS:  (~ND)  a (~IL)  a (~NE)  a IR 

There  are  outstanding  registrations. 


OBSERVED 

LEVEL 

MODIFIED 

LEVEL 

PARAMETERS  : 

id , lv 

w 

W_CODE 

SYSJil 

CONSTANTS  : 

DBA , SYS_HI  , 0 , ZERO , I R 

Unclass 

VARIABLES: 

K CUR  ID 
K CUR  LEVEL 
D E ( id) 

D D ( lv) 

SYS  HI 
SYS  HI 
lv 
lv 

HIGHEST  LEVEL  OBSERVED: 

SYS_HI 

LOWEST  LEVEL  MODIFIED: 

SYS  HI 
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PRIMITIVE:  MOVE  CASE:  5 SUBJECT:  1 

CONDITIONS  : (~ND)  a (~IL)  a (~NE)  a (~IR)  a DO 

Object  is  open  at  present. 


OBSERVED 

LEVEL 

MODIFIED 

LEVEL 

PARAMETERS: 

w 

id,  lv 

W_CODE 

SYS_HI 

CONSTANTS : 

DB A_S Y S_H I , 0 , ZERO , DO 

Unclass 

VARIABLES : 

K CUR  ID 
K CUR  LEVEL 
D E (id) 

D_D ( lv) 

D_0 (id) 

SYS  HI 
SYS  HI 
lv 
lv 
lv 

HIGHEST  LEVEL  OBSERVED: 

SYS  HI 

LOWEST  LEVEL  MODIFIED: 

SYS_HI 

PRIMITIVE:  MOVE  CASE : 6 SUBJECT:  1 

CONDITIONS:  (~ND)  a (~IL)  a (~NE)  a (~IR)  a (~DO)  a DD 

The  object  already  exists  at  the  new  level. 


OBSERVED 

LEVEL 

MODIFIED 

LEVEL 

PARAMETERS  : 

id,  lv 

w 

W_CODE 

SYS_HI 

CONSTANTS: 

Unclass 

DBA, SYS_HI , 0 , ZERO , DD 

VARIABLES: 

K CUR  ID 
K CUR  LEVEL 
D E ( id) 

D D ( lv) 

D 0 ( id) 

SYS  HI 
SYS  HI 
lv 
lv 
lv 

HIGHEST  LEVEL  OBSERVED: 

SYS_HI 

LOWEST  LEVEL  MODIFIED: 

SYS_HI 
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PRIMITIVE : MOVE  CASE  7 SUBJECT : 1 

CONDITIONS  : ( ~ND)  a (~IL)  a (~NE)  a (~IR)  a (~DO)  a (~DD) 

No  exceptions. 


OBSERVED 


LEVEL 


MODIFIED 


LEVEL 


PARAMETERS: 


id  , lv 


W CODE 


SYS  HI 


CONSTANTS : 


Unclass 


DBA,  SYS_HI  , 0 , ZERO , DN 

VARIABLES: 


K_CUR_ID 
K_CU  R_LE  VE  L 

D_E (id) 
D_D(lv) 

D_0 ( id) 

D_F ( id) 

D_H  (id) 

D_M ( id) 

D_V (id) 

D_Z (id) 

K CUR  TIME 


SYS_HI 

SYS_HI 

lv 

lv 

lv 

lv 

lv 

lv 

lv 

lv 

SYS  HI 


HIGHEST  LEVEL  OBSERVED: 


SYS  HI 


LOWEST  LEVEL  MODIFIED: 


SYS  HI 
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PRIMITIVE:  MOVE  CASE  l SUBJECT: 

CONDITIONS : (~ND)  a (~IL)  a (~NE)  a (~IR)  a (~DO)  a (~DD) 

No  exceptions.  Copy  object  to  new  level; 
append  entry  to  new  directory  and  delete 
entry  from  old. 


OBSERVED 

LEVEL 

MODIFIED 

LEVEL 

PARAMETERS: 

M 

id , lv 

w 

D_D ( lv) 

lv 

D D(new-lv) 

lv 

CONSTANTS  : 

Unclass 

D E ( Id) 

lv 

DBA, SYS  HI , 0 , ZERO , DN 

D F(id) 

lv 

D H ( id) 

lv 

D M ( id) 

lv 

VARIABLES: 

D V ( id) 

lv 

K CUR  ID 

SYS  HI 

D_Z (id) 

lv 

K CUR  LEVEL 

SYS  HI 

D_E (new-id) 

lv 

D E (id) 

lv 

D F (new-id) 

lv 

D D ( 1 v) 

lv 

D H (new-id) 

lv 

D 0 ( id) 

lv 

D M(new-id) 

lv 

D F (id) 

lv 

D V(new-id) 

lv 

D H (id) 

lv 

D_Z  (new-id) 

lv 

D M(id) 

lv 

D V (id) 

lv 

D Z ( id) 

lv 

K_CUR_TIME 

SYS_HI 

HIGHEST  LEVEL  OBSERVED: 

SYS_HI 

LOWEST  LEVEL  MODIFIED: 

lv 

This  function  violates  the  *-property  in  a controlled 
manner  since  only  the  DBA  may  reclassify  information. 
It  does  not  violate  the  SS-property  because  the  DBA 
must  have  a system  high  current  level. 
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APPENDIX  II 


RESULTS  OF  THE  VALIDATION 

The  course  of  the  validation  revealed  certain  problems  in 
the  specification.  These  problems  and  their  solution  are 
summarized  in  table  A. 2.1. 
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Description  Problem  Type  Solution  Functions  Affected 
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MISSION 
OF  THE 

DIRECTORATE  OF  COMPUTER  SYSTEMS  ENGINEERING 


The  Directorate  of  Computer  Systems  Engineering 
provides  ESD  with  technical  services  on  matters 
involving  computer  technology  to  help  ESD  system 

development  and  acquisition  offices  exploit  computer 
technology  through  engineering  application  to  enhance 
Air  Force  systems  and  to  develop  guidance  to  minimize 
R&tD  and  investment  costs  in  the  application  of  computer 
technology. 

The  Directorate  of  Computer  Systems  Engineering 
also  supports  AFSC  to  insure  the  transfer  of  computer 
technology  and  information  throughout  the  Command, 
including  maintaining  an  overview  of  all  matters  pertain- 
ing to  the  development,  acquisition,  and  use  of  computer 
resources  in  systems  in  all  Divisions,  Centers  and 
Laboratories  and  providing  AFSC  with  a corporate 
memory  for  all  problems /solutions  and  developing 
recommendations  for  RDT&E  programs  and  changes  in 
management  policies  to  insure  such  problems  do  net 
reoccur. 


